In the U.S., no comprehensive national law yet exists, which generally requires notification of security breaches involving personal information.1 California passed the first data breach notification statute in 20032 and over 30 states have since enacted similar laws. The California law, commonly referred to as "SB 1386,"3 requires owners, licensors, or custodians of personal information to notify data subjects whose information was (or is reasonably believed to have been) acquired in an unauthorized fashion. California laws also include proactive obligations related to data destruction and maintaining reasonable security measures.

Courts have not yet interpreted the California Data Protection Act4 (the "Act"), originally enacted in September 2000, but its legislative history reflects an intent to provide individuals with damages or injunctive relief from businesses who violate certain individual privacy rights.5

The Act obligates owners or licensors of personal information6 (i.e., "data custodians") to:

  • take all reasonable steps to destroy personal information no longer needed by the business (See Section 1798.82);
  • notify any California-resident data subjects whose unencrypted information was (or was reasonably believed to have been) acquired in an unauthorized manner (See Section 1798.82); and
  • implement reasonable security measures (See Section 1798.81.5).

Some significant concepts under the Act include the definition of personal information, the definition of "breach of the security of the system", and disclosure requirements.

Personal information

For the purposes of Sections 1798.80-81, "personal information" includes any information that can be associated with an individual. In fact even a name, address, or telephone number alone constitutes "personal information" under this section. For purposes of Section 1798.82, "personal information" is defined as an individual’s name in combination with one or more "data elements"—e.g., her account number—where either the name or the account number is not encrypted.7

Breach of the security of the system

A "breach of the security of the system" under Section 1798.82, consists of "unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business."8 According to guidance issued by the State of California (the "California Guidelines"), when determining whether personal information has or "is reasonably believed to have been acquired" in an unauthorized manner, the following non-exhaustive list of factors should be considered:

  1. indications that the information is in the physical possession and control of an unauthorized person, such as a lost or stolen computer or other device containing unencrypted notice-triggering information;
  2. (ii) indications that the information has been downloaded or copied; and
  3. (iii) indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported.9

Disclosure

Under the Act, businesses must disclose breaches to affected persons "in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement … or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system."10
Note that the California Guidelines on this topic require data custodians to notify affected individuals within ten days of the discovery of the breach.11 By contrast, a business that maintains such data without owning or licensing it must immediately disclose the breach to the owner or licensee of the data.12 In both circumstances, the notification may be delayed "if a law enforcement agency determines that the notification will impede a criminal investigation."13 Section 1798.82 also contains a law enforcement safe harbor.

Section 1798.81.514 of the Act mandates that any data custodian "implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure."15 Sections 1798.81.5(b) and (c) were intended "to encourage businesses that own or license personal information about Californians to provide reasonable security for that information."16 It is important to note here that the Act does not define what constitutes "reasonable security measures." The law only requires that such measures be commensurate with the type of data being maintained by the business.

Other states

Data protection laws in other states contain similar basic data breach notification provisions, however a wide variety of differences exist among the state laws. This variety creates the proverbial "patchwork of laws" and makes compliance a challenge since companies that maintain personal information tend to have customers in numerous states. Following is a brief sampling of some varied state provisions. In Florida, for example, administrative fines up to $500,000 can be levied if disclosures are delayed. In Montana, disclosures are required only where a breach materially compromises the personal information. In New York, the entity suffering a breach must notify, among others, various authorities. In North Dakota, personal information is defined more expansively, to include mother’s maiden name, birth date, and an individual’s digitized or electronic signature.

Conclusion

In light of the continuing string of data breach disclosures, further U.S. legislation in this area is inevitable. Additional states will likely pass reactive data breach notification laws. Further, many commentators speculate that federal legislation will be passed in 2007 that will preempt many (if not all) of the state laws in this area.

This article was prepared in conjunction with Bird & Bird, as part of an overview of security breaches involving personal information in key countries around the globe. If you would like more information, a brief summary, by country, of required ISP and network operator disclosures for security breaches, can be found here.

Footnotes

1 The Gramm-Leach-Bliley Act (the "GLBA") requires notification of data breaches, but the GLBA only applies to financial institutions.

2 Note that this alert is limited to a discussion of California statutes related to security breach notification. There are other privacy-related statutes in existence in California but these are outside the scope of this alert.

3 Also known as "Senate Bill 1386".

4 Cal. Civ. Code § 1798.80 et seq.

5 Id.

6 The statute defines "personal information" as an individual’s first name or first initial and last name in combination with any one or more of the following, when either the name or data elements are not encrypted: (a) Social Security number; (b) driver’s license number or California ID card number; (c) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. Cal. Civ. Code § 1798.80(e).

7 Cal. Civ. Code § 1798.82(e)(3). Other enumerated "data elements" include the individual’s social security and driver’s license numbers. Cal. Civ. Code § 1798.82(e)(1), (2).

8 Cal. Civ. Code § 1798.82(d).

9 "Recommended Practices on Notification of Security Breach Involving Personal Information" at 11, California Department of Consumer Affairs, Office of Privacy Protection, April 2006 (hereinafter, the "California Guidelines") (available at www.privacy.ca.gov).

10 Cal. Civ. Code § 1798.82(a).

11 See California Guidelines, at 11-12.

12 See Cal. Civ. Code § 1798.82(b).

13 Cal. Civ. Code § 1798.82(c).

14 Unlike the foregoing sections, this section was not enacted until 2004, and only became effective as of January 1, 2005. 2004 Cal. Legis. Serv. Ch. 877 (A.B. 1950) (West 2004). This section was amended in very minor respects on June 28, 2005. 2005 Cal. Legis. Serv. Ch. 22 (S.B. 1108) (West 2005). References and quotations herein are to Civ. Code § 1798.81.5 as most recently amended.

15 Civ. Code § 1798.81.5(b).

16 Cal. Civ. Code § 1798.82(a).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.