Case Study: One Companys Response to the California Identity Theft Law

This case study tells the story of how our company dealt with two challenges: suffering the theft of some confidential client data; and, bringing our systems into compliance with the new California identity theft law, SB 1386 that set compliance-goals to protect consumers. An inventory and assessment of over 100 application environments categorized the risk factors emanating from various tiers: Back-end servers, middle-tier (including network) systems, client-tier systems and business-risk. Risks were methodically identified in this fashion and vetted by stakeholders, along with proposed mitigation and remediation actions. Next, the highest-risk vulnerabilities were identified and fixed first. At the same time, an education program was begun, with help from our general counsel, to educate staff and vendors on enhanced guidelines for handling confidential client data. The results of our efforts have created a more secure environment that better protects our clients' confidential information. We also have an enhanced corporate-wide understanding of, and commitment to, these new guidelines that will serve us well, as we remediate the remaining existing systems and deploy new systems in the future.