Data security meets California Dreaming and Bohemian Rhapsody

Pop music has more in common now with data security, thanks to the new Czech cyber-security law and an amended Californian data protection code. After all, “Caught in a landslide, no escape from reality”, the line from Queen’s "Bohemian Rhapsody," is a timely description of data breaches and the new wave of legislation.

But first the facts: The new Czech cyber-security legislation (zákon o kybernetické bezpečnosti) falls squarely within the context of the EU Cyber-security Strategy  with its goal of securing the country’s IT backbone and establishing a CERT center. 

It comes into effect in 2015 and is one of the first cyber-security laws passed following the European Parliament’s approval of the draft Network and Information Security Directive (known as the Cyber-security Directive).

Three pillars for your data

Even if you never step foot in the Czech Republic, the Czech law shows what is coming within the larger European context with its three pillar structure:

1.    Standardization – Establishing a defined list of security standards
2.    Announcement – Listing security events that organizations are required to detect, react to, and announce to the relevant authorities.
3.    Countermeasures – Defining needed actions after the announcement of a security incident.

Within these three pillars, the new law divides cyber-security into technical and organizational measures. This division is needed as many technical measures such as firewalls and antivirus are well known (although others, like Data Leak Prevention, are not) but the benefits to incorporating security measures within the organizational structure such as ISO 270001 or Safetica  are significantly under appreciated.  The Czech law will directly influence the activities of many state, financial, health, and IT sector organizations once it comes into effect, and is also positioned to help influence other, cyber security laws within the EU.

"Open your eyes, look up to the skies and see," sings Freddy Mercury. Yes, it's time for Czechs and Europeans to take a much closer look at their security measures on the ground and in the clouds.

California dreamin' of data privacy

And now for California: “I'd be safe and warm if I was in L.A.,” harmonizes The Mommas and the Poppas. That is not exactly true, as your data is still at risk in California. But, this state – home of early restrictions on everything from car exhaust, smoking and soft drinks – is still trying to be at the forefront of data protection. And by the way, California legislation has a tendency to be copied elsewhere.

Assembly Bill No. 1710 amends several sections of the California Civil Code that cover information privacy. While some changes such as prohibiting the sale of social security numbers seem like no-brainers, the amendment effectively ups the cost of a data breach. Organizations will be required to provide identity theft prevention and mitigation services to individuals for one year if their private details are leaked.

Keep eyes open for 'reasonable security'

The amendment also expands the requirement for organizations to secure sensitive data. It is no longer limited to organizations that "own or license" personal information on a California resident. The expanded laws now apply to organizations that just "maintain" personal information about a California resident. And as White& Case points out, organizations will need to keep an eye out for what constitutes "reasonable" security”. We just hope that this includes ISO-type process controls and security solutions that help with data leak protection, encryption, regulatory compliance, or activity monitoring such as Safetica provides. After all, data security shouldn't be just "California dreamin' on such a winter's day."