At a conference recently, one of the panelists asserted that the California Disclosure Law (SB-1386) was the worst information security law in memory. I disagree. I think it is the best regulation around information security; even better than GLBA. Most information security regulations are about controls – that is, they specify how one should protect information assets. Sometimes, those are relevant controls – but in practice, every IT environment is a little different, and what works for one environment isn’t going to work for another environment.
What SB-1386 has done for the industry is create a very clear cost for an information security breach. Now, companies will, hopefully, think about what controls are relevant for their environment. And maybe, just maybe, that will lead to better security.