New California Law Requires Notice of Security Breach

California Senate Bill 1386, which goes into effect July 1, 2003, establishes notification requirements regarding security breaches that involve the compromise of personal information. The statute applies to state agencies and persons or businesses conducting business in California that maintain or license electronic personal information. This may mean it applies even to companies that are not physically located in California but that collect data from California residents in the course of doing business in California or with other sufficient contacts with the State. The statute requires covered entities to notify users of any security breach that might expose their personal information to unauthorized scrutiny or use. The legislation renumbers California Civil Code section 1798.82 as 1798.84, and adds new sections 1798.29 and 1798.82 to the Code.

The statute's notice requirements are triggered when, due to a security breach, data is revealed that includes a person's name in combination with at least one of the following pieces of personal information: (1) social security number; (2) driver's license or California ID card number; or (3) account number or credit/debit card number, if in combination with any kind of password or PIN. If either the name or data element is encrypted, however, the notice requirements do not apply. In addition, the notice requirements do not apply to publicly available information found in government records.

The law defines a "breach of the security of the system" resulting in disclosure of the above personal information as an "unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the agency."

Upon breach, the entity must notify "in the most expedient time possible and without unreasonable delay" any California residents whose personal information was acquired, or is believed to have been acquired, without authorization. The only apparent reason for delay is where notification would impair law enforcement efforts. This may mean that delay for internal investigation of the breach may be minimal or that every breach becomes a law enforcement issue in order to ensure a full investigation of the facts.

Further, determining whether users are residents of California could be challenging, especially where telephone number or address information is not collected. Given that many companies do not segregate databases based on state residency or cannot easily sort customer information, the entity whose data security is compromised may need to notify every one of its users, even though many are not California residents, in order to meet the technical requirements of the law.

For companies that use remote storage or have vendors that maintain customer information, the law states that an entity that maintains personal data it does not own is required to notify the owner or licensee of the information in the event of a security breach. It is important for companies to carefully consider agreements with such vendors to determine whether notification procedures and the parties' respective responsibilities are sufficiently detailed. In particular, companies may wish to control the manner and timing of public notice of any breach, and, if so, will need to include provisions in their agreements regarding this issue.

Notice to California residents can be written or electronic if it is in compliance with the federal E-SIGN Act. Substitute notice is allowed if the cost of providing notice exceeds $250,000, if more than 500,000 people must be notified, or if the entity does not possess sufficient contact information. In addition, the statute excepts from the specific notice requirements persons or businesses that have implemented their own notification policies, as long as those policies comply with the general statutory conditions.

Damages and injunctive relief are available under new California Civil Code section 1798.84 for violation of these provisions.

Some issues for you to consider in preparation for this new law:

• Outside Vendor Agreements: Do your agreements with outside vendors or other third parties who have access to your data provide sufficient protections, including indemnity provisions and requirements that the vendor maintain insurance to cover claims resulting from security breaches? Do such agreements provide sufficient description of each party's responsibilities in the event of a security breach? Should you include a confidentiality provision in such agreements so that you can control any public notification of a breach?

• Security Policy and Incident Response Plan: Have you updated your security policy and incident response plan to consider the law? Have you sufficiently communicated any new security procedures to your employees?

• Customer Agreements, Terms of Use and Privacy Policy: What do your customer agreements, terms of use or privacy policy say about security and notification in the event of breach?

• Litigation: There is no immunity or safe harbor in the statute. Notification of a large compromise certainly has the potential to result in class action lawsuits or state or federal enforcement actions, especially if one assumes data loss for residents of other states where there is no notice requirement. In light of this possibility, should you institute a blanket notice policy? Should you amend your customer agreements and terms of use to provide for arbitration or limitations on liability as well as other defensive provisions to avoid class certifications?

• Insurance: Have you reviewed your insurance policies to determine whether you have coverage for claims related to security breaches? In particular, consider obtaining a special online liability policy that may cover your damages for theft of electronic data and the defense of claims against you arising from such theft.