By D. Ken Brock –

By now, most everyone has heard of the recent security vulnerability known as “Heartbleed”.  According to technology experts, however, this particular vulnerability has actually been present for about two years now with about two-thirds of the servers currently on the Internet.  If exploited, Heartbleed could ultimately lead to the compromise of authentication credentials, such as usernames, passwords or encryption keys, used to safeguard the privacy of communications transmitted to or from millions of websites in three separate ways.

First, communications to and from any system which utilizes certain versions of OpenSSL (those that utilize OpenSSL version numbers 1.0.1 through 1.0.1f and 1.0.2-beta1) may be at direct risk of interception.  The authentication credentials of personnel and information sent by employees to commonly-used business websites, such as Dropbox, which utilize these particular OpenSSL versions may also be at risk.  Lastly, if an employee utilizes the same username and password for personal Internet use as they do for work (let's be honest here, most of us do), those organizational systems could likewise be subject to compromise.

In California, there may ultimately be legal consequences should Heartbleed result in a security breach in which the confidentiality of customers' personal information is ever compromised.  Specifically, under the California Information Practices Act (“IPA”), those who own or license personal information in electronic format are generally required to notify the individuals about whom the information pertains when they reasonably suspect that the information has been subject to a security breach.  While IPA does not mandate a specific time frame in which such notification is to take place, it does specify that notification must occur in “the most expedient time possible”.

Under IPA, “personal information” may include, among other things, a user's name or e-mail address whenever it is combined with a password or security question that would permit access to an online account.  IPA also specifically defines a “security breach” to consist of the unauthorized acquisition of computerized data which compromises the security, confidentiality or integrity of any such information.

While the mere fact that an organization may have been vulnerable would not automatically trigger the notification requirement, the discovery that Heartbleed was exploited in such a way to compromise the security, confidentiality or integrity of any such personal information would ultimately require the organization to immediately notify the affected individuals.  It's also worth noting that the IPA notification requirement does not require absolute certainty but only a reasonable suspicion that a security breach has occurred.

Consequently, provided the facts are sufficient to cause one to reasonably suspect that a security breach has in fact occurred, organizations which maintain or transmit such personal information should err on the side of caution an notify their customers accordingly.