X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.
Businesses could face increased litigation as a result of a new California law that requires companies across the country to notify California customers if their personal information is illegally accessed from a company’s computer network, according to corporate lawyers nationwide. A federal bill pending in the Senate Judiciary Committee that would have the same notification requirements may create the same impact, but lawyers said it is too early to anticipate this since it is not finalized yet. The bill was introduced in June by Sen. Dianne Feinstein, D-Calif. Under the new law that went into effect on July 1, Californians whose personal information is either stolen or illegally accessed now have a private cause of action against companies anywhere in the nation that fail to notify them in an “expedient” fashion. “The California law gives a fair amount of room for class action lawsuits, as well as lawsuits under the California Business and Professions 17200 code, which allows any citizen of California to act as a private attorney general on behalf of other citizens,” said Maren Nelson, a partner in the Los Angeles office of San Francisco’s Morrison & Foerster who represents financial institutions. A major problem with the new law, according to Cheryl Falvey, a partner in the McLean, Va., office of Akin, Gump, Strauss, Hauer & Feld, is that often companies do not even know when a network breach has occurred. It might take days for a company to recognize the breach and to notify customers. If customers are not notified quickly enough — “expedient” is not defined in the law — they then have a cause of action. An additional problem, said Joseph Gabai, a partner in the Los Angeles office of Morrison & Foerster, is that hackers usually steal as much information as possible, which could translate into thousands of customer files. The sheer quantity could make the notification process difficult, he said. California Assemblyman Joe Simitian, co-author of the bill, said that the law will not lead to a rise in lawsuits. Simitian said that the law gives consumers the information necessary to protect themselves from identity theft, and it encourages companies to update their systems to protect consumers’ data. “It is not meant to penalize companies, but to protect customers,” he said. Simitian points to the fact that encrypted data are not subject to the law. The state law enables consumers to protect themselves, according to Steve Blackridge, legislative director for the California Public Interest Research Group, which supports the law. He said that consumer data get passed among companies and government agencies, increasing the chances of information being stolen. AMBIGUOUS LANGUAGE The Investment Company Institute opposes the law in part because of ambiguous language contained in the bill that would require a company to notify customers if its network was breached, even if the customer’s personal information was never taken, said Tamara Salmon, senior associate counsel for the Washington-based institute. This places an unfair burden on companies and unduly exposes them to liability, she said. The institute is the national association of the American investment company industry. Under the law, if a hacker steals a customer’s name along with other personal information, such as a Social Security number or bank account data, the company must notify the customer as soon as possible. If the company cannot contact every affected customer, it must either post a notice on its Web site about the breach or notify state media. Consumers who are aware that their personal information has been stolen already have remedies under California law, such as the ability to seek an injunction against any agency that is attempting to collect on a fraudulent account. The goal for all companies, according to Falvey, should be to limit their liability by using as much protection as possible. Falvey, who represents a national hotel chain, advised the chain to fulfill its due diligence by encrypting all of its data. She has also been advising clients to notify all customers affected by a breach, and not just California residents. Falvey said that a company will have a tough time explaining to customers in the other 49 states why they were not notified that they might have had their identities stolen. Hiring practices are also being scrutinized by many companies, according to Charlie Kennedy, a partner in Morrison & Foerster’s McLean, Va., office who represents Internet companies. “Companies call in IT professionals to install firewalls and encryption codes, but they forget about employees who can just walk away with the data,” he said. Lawyers disagreed over whether there would be liability if an employee decrypted customers’ personal information and then stole it. Thirty companies — including Best Buy, Fairmont Hotels and Resorts, The Gap, Apple Computer and Home Depot — were contacted regarding the California law, but none wished to comment. Lawyers speculated that companies that are working to protect their networks do not want hackers to know of their vulnerability.

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]

 
 

ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.