X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.
Many businesses compile extensive computer databases of information about their customers. California imposes responsibilities on companies of all sizes if there is a breach of the security of that information. While this law has been in force since July 2003, it only received widespread publicity this year, in the wake of security breaches at LexisNexis, ChoicePoint and other companies. For many companies the issue impacts operations and marketing, in addition to potential legal liability. DATABASES & IDENTITY THEFT Many businesses recognize that the data they collect about their customers can be put to profitable use. This can include sales leads for their own products and services or from the sale or rental of their mailing lists to other companies. At the same time, identity theft has been one of the fastest-growing crimes committed in California, according to the state legislature. The legislature’s goal was to give individuals as much of an early warning as possible when their personal information is placed at risk. In 2003, a smaller patchwork of laws governing data security grew enormously, on the federal as well as state level. Sarbanes-Oxley and Gramm-Leach-Bliley are among the acts of Congress in the field, and the Federal Trade Commission and other agencies have promulgated regulations. In September 2004 California alone enacted four new laws extending privacy protection in the state. The touchstone of regulation remains, however, the California statute from 2003, commonly known as A.B. 1386. THE REQUIREMENTS A.B. 1386 applies to all businesses, no matter how small, and even if they are not incorporated. It also applies to any company that conducts business with California residents; on the face of it, the statute appears to apply regardless of where in the world the company is located. The personal information protected is any unencrypted computerized record (whether the data is owned or merely is leased by the company) where the person’s first name or initial, and last name, are combined with any of the following: (1) his or her social security number; or (2) California driver’s license or ID number; or (3) a bank account, credit card or debit card number along with the person’s PIN number. The law’s requirements are triggered whenever there is a “breach of the security of the system” on which the person’s name and any of those numbers are stored. A breach of security occurs whenever the business knows or has reason to believe that an unauthorized person has acquired that information. While the law was designed with online hackers in mind, when read literally its requirements are triggered by breaches as simple as theft of customer data by a fired employee, for example, who walks out of the company premises with the data on a floppy disc. If a breach occurs, the business must expediently disclose the breach to everyone whose personal information was compromised. Subject to certain exceptions, notice must be provided either in writing or electronically, provided it complies with federal electronic records and signature requirements. One of the alternative ways that notice can be provided is where companies have information security policies for the treatment of personal information that include their own notification procedures. Thus, if a company has a method of communicating with its customers, the law permits use of that method rather than imposing a separate requirement. Notice must, however, still be “expedient.” The penalty for a company’s violation of the new law is that it may be subject to lawsuits from customers for damages suffered. The law specifically preserves the right of customers to assert other claims as well. One can imagine claims for violation of the law being brought on a class action basis under California’s unfair competition law. The California Legislature rejected recommendations that companies should merely contact law enforcement agencies to report breaches of security. BUSINESS ISSUES & SOLUTIONS This issue may impact companies not only on account of potential legal liability for noncompliance, but also in its effects on operations and marketing. If a company is moving its customer communications more towards the Internet, and its strategy is premised on the economics of that, the company can ill afford to have a perception arise that those who buy from the company risk becoming the victims of identity theft. Banks have been especially careful about this issue, for obvious reasons. Companies also must consider how to coordinate the new requirements with existing requirements, such as those of the Children’s Online Privacy Protection Act and industry-specific laws, such as those governing privacy of medical records. There are some technological measures that companies may be able to take in response to these problems. One is that since A.B. 1386 only applies to “unencrypted” information, in some circumstances companies can encrypt their databases. Another development is that Enterprise Incident Response technology employed on a network now allows companies to monitor and evaluate the existence and severity of security breaches, and to coordinate issues arising under A.B. 1386 with other legal requirements. Out-of-state companies who have some California customers have to make a choice, as so starkly illustrated by the ChoicePoint case. They can attempt to separately identify their California customers in complying with A.B. 1386, or they can make compliance with California’s requirements part of companywide information security policies for all of their customers. Many smaller companies (and even not-so-small companies) employ an outsourced managed hosting service. Those companies should verify that their contracts with the outside service, as well as the procedures employed by the service, require the service firm to notify the company if there has been a security breach affecting the company’s customer information. Lastly, a company will be well-advised to consider whether its insurance policies cover electronic commerce incidents of this type. Alan J. Haus is a partner in the San Francisco office of Lewis Brisbois Bisgaard & Smith LLP, where he practices intellectual property law.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

 
 

ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.