Every piece of legislation directed at technology seems to have unintended consequences. I mentioned last week that companies are now stepping up to unintended consequences and costs of the Patriot Act. Add another to the list.
Jaikumar Vijayan’s article in ComputerWorld suggests that a new California Data Privacy Law intended to protect Californians against identity theft may have wide-ranging and unexpected consequences for any company doing business in California. In simplest terms, a company may have an obligation to notify California citizens in the event of a security breach that might lead to identity theft. But it’s not so simple. As the article indicates, some have found the statutory language ambiguous and a company that notifies only Californians of a security breach invites a public relations nightmare.
If that’s not fun enough, imagine 50 different state identity theft laws, plus federal laws on the subject as well.