Article by Michael Fernon & Burt Hill
A Californian law, which commences operation on 1 July 2003, may have far reaching consequences for Australian organisations doing business in that state. Organisations who ignore these disclosure requirements may face exposure to civil lawsuits in California.
On 26 September 2002, California enacted legislation which requires businesses and state agencies operating in California to disclose computer security breaches that have compromised confidential information. The legislation, Senate Bill No.1386, is designed to allow victims of fraud to minimise damage by being informed of the possible misuse of their personal information. Any body, private or public, who conducts business in California, and owns or licenses computerised data that includes personal information of any resident of California, and who has reason to believe that the security of the data has been acquired by an unauthorised person, will be under an obligation to disclose the breach to the resident without unreasonable delay.
Personal information includes a person's name, in combination with his or her social security number, drivers licence number, California Identification Card number, financial information and passwords, access codes and other information, all of which are not publicly available. Disclosure must be made, in the form of either written or electronic notice to each individual. If the cost of disclosure or the number of individuals compromised exceeds US$250,000 or 500,000 respectively, other forms of notice such as web postings or media releases will be sufficient.
The new Bill also amends the California Civil Code to allow customers injured by a violation of this law to institute civil action to recover damages from businesses that violate this law.
Just how far reaching this new law is, is a matter of conjecture. Some legal analysts in the US believe companies in other states of America who are selling products or providing services to residents of California will be conducting business in California for the purposes of the Act, and therefore subject to the law. Australian companies who conduct business in California with Californian residents may also be subject to the law. The Act does not define 'conducting business' in California. Whether, for instance, simply selling products or providing services to Californian residents over the internet is enough to trigger the law is left unanswered. In the recent case of Pavlovich v DVD Copy Control Association, Inc., the Californian Supreme Court ruled four to three that Pavlovich, a Texas resident, who posted on the internet a code that cracks DVD encryption could not be sued by representatives of the DVD industry in California. The Court found that the DVD Copy Control Association failed to establish a connection between the location where it wished to sue (California) and the conduct in question, holding that simply posting material on the internet was not in itself sufficient to indicate an intention to affect Californian-based companies. Essentially, the conduct was not sufficiently directed towards the State nor targeted towards its residents to warrant the bringing of actions against Pavlovich.
Given this narrowly reached decision, it may be that Australian businesses would have to actually target Californian residents to be seen as conducting business in that state. Examples of this may include opening offices in California to conduct business or directly soliciting Californian customers by conducting advertising or other forms of sales and marketing campaigns in that state.
In the case of MGM v Grokster, the US District Court in California recently ruled that an Australian company, Sharman Networks, even though it was not licensed or incorporated in California and had no offices, employees or assets there, had nonetheless targeted Californian residents sufficiently to give the Court jurisdiction in that case. Sharman, provided free software, known as the Kazaa Media Desktop (KMD), that could be downloaded and used to search for and exchange digital music, movies, and other copyrighted works. The Court based its finding of jurisdiction largely on the fact that Sharman had made the KMD software available to about two million residents of the state of California. 'In sum, Sharman engages in a significant quantum of commercial contact with California residents constituting a but for cause of the Plaintiffs' claims. Jurisdiction is therefore presumptively reasonable', wrote the Court.
It may be sufficient, therefore, to establish a cause of action in California, where an Australian bank has a large number of customer accounts of Californian residents or substantial deposits from Californian residents. Similarly, if a business sells a large number of products or services via the internet to Californian residents, there may be a sufficient nexus with California to be deemed to be doing business there.
Despite the uncertainty surrounding the reach of this law, it may be prudent for Australian companies to err on the side of caution and comply with the disclosure requirements if they are dealing with Californian residents. Due to California's prominent role in the worldwide IT industry, the new law may well be a precursor for other legislation, not only in the US but other common law jurisdictions such as Australia.
This newsletter provides a summary only of the subject matter covered, without the assumption of a duty of care by Freehills. The summary is not intended to be nor should it be relied upon as a substitute for legal or other professional advice. Copyright in this newsletter is owned by Freehills.