A Good Way to Give Bad News: Recent Amendment to We often hear stories of laptops containing credit card and social security numbers falling into the wrong hands or hospitals being fined for employees peeking into the medical records of a celebrity. With the sheer volume of electronic information available these days, it is not only likely, it is almost inevitable that a business will have the unfortunate duty of informing its customers of a security breach. When it happens, how do you break the bad news? Fortunately, a statute recently passed by the California legislature, SB 24, provides some much-needed clarity on the contents of the notice of breach.

In 2003, California became the first state to adopt a breach notification law, Civil Code section 1798.82 (Act). This law makes it mandatory for any person or business that owns or licenses computerized data to provide notice to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. "Personal information" is defined as the first name or first initial in combination with other identifying information such as a social security number, driver's license number, California identification card number, account number, credit or debit card number (in combination with any necessary security code, access code, or password) , medical information, or health insurance information.

SB 24 amended the Act and added the details of who must be notified, what the notice must say, and where it is to be distributed. Effective January 1, 2012, the notice of breach must be written in plain language and include:

  1. The date of the notice;
  2. The name and contact information of the reporting person or business;
  3. A list of the types of personal information that were or are reasonably believed to have been the subject of a breach;
  4. The date or estimated date of the breach or the date range within which the breach occurred;
  5. Whether notification was delayed as a result of a law enforcement investigation;
  6. A general description of the breach incident; and
  7. The toll-free telephone numbers and addresses of the major credit reporting agencies, if the breach exposed a social security number, driver's license, or California identification card number.

At the discretion of the person or business providing the notice, the security breach notification may also include any of the following:

  1. Information about what the person or business has done to protect individuals whose information has been breached.
  2. Advice on steps that the person whose information has been breached may take to protect himself or herself.

When a single security breach affects more than 500 California residents, a sample notice (not including personal information) must be sent electronically to the Attorney General.

The statute requires the notice be sent in the most expedient time possible and without unreasonably delay. However, the time for sending notice must be consistent with the needs of law enforcement or any measures necessary to determine the scope of the breach and restore integrity to the system.

Notice may be given:

  1. In writing;
  2. Electronically (provided that the business complies with the "E-Sign Act");
  3. By substitute notice (email notice, publication on the website, and notice to the media and the Office of Privacy Protection) if the cost to send the notice is greater than $250,000, the affected class exceeds 500,000 persons, or the business does not have sufficient contact information; or
  4. Pursuant to notification procedures as part of the business' personal information security policy.

This statute does not replace other state and federal breach notification statutes. For example, Health and Safety Code section 1280.15 requires a California licensed clinic, health facility, home health agency, or hospice to notify the California Department of Public Health no later than five business days after discovery of a breach of patient information.

The Health Information Portability and Accountability Act of 1996 (HIPAA), as modified by the Health Infomation Technology for Economic and Clinical Health Act (HITECH Act), requires disclosure by a "covered entity" of a breach of unsecured "protected health information" to the affected individuals and to the Secretary of Health and Human Services. A notice that complies completely with the notice content requirements of the HITECH Act will meet the requirements of the Act. Financial institutions in the United States must comply with other federal requirements to develop a response plan and provide notice to consumers in the event of a security breach.

Encryption is one way a business can reduce the odds of a breach that requires notice. Establishing strict company policies on the use of portable devices and downloading is another. Every business should prepare an investigation checklist and designate those persons responsible for gathering information when a breach is suspected. The checklist should include all the information that would be necessary to provide in a notice. Then, executive management, with the assistance of legal counsel, should determine whether the notice is necessary and if so, strictly comply with state and federal law.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.