Technology Commentaries California Raises the Bar on Data Security and Privacy

California has recently enacted two landmark pieces of consumer rights legislation, each of which creates new burdens for companies doing business with California residents. The first, Senate Bill No. 1386 ("SB 1386"), requires any company that stores customer data electronically to notify its California customers of a security breach to the company's computer system if the company knows or reasonably believes that unencrypted information about the customer has been stolen. The second, Senate Bill No. 1 ("SB 1"), commonly known as the California Financial Information Privacy Act, creates new limits on the ability of financial institutions to share nonpublic personal information about their clients with affiliates and third parties. This Technology Commentaries provides a brief overview of each of the new laws and what companies should be doing to comply with the new statutes.

SB 1386 obligates companies electronically storing the unencrypted personal information of any California resident to notify such persons of a security breach to the database storing their data. Passed almost unanimously by the California Senate and Assembly and effective July 2003, the statute was created to address one of the fastest growing crimes committed in California—identity theft—but it has far broader legal implications.

Specifically, SB 1386, codified as Civil Code § 1798.82, et seq., requires "any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, [to] disclose any breach of the security system…to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." The statute imposes specific notification requirements on companies in such circumstances. The statute applies regardless of whether the computerized consumer records are maintained in or outside California. As long as a company conducts business in California and owns or licenses computerized data that includes "personal information" (defined below) about residents, it has a legal obligation to notify its California consumers of security breaches to their personal information. The statute thus has broad implications for companies across the United States, and worldwide, if they maintain, own, or license unencrypted computer data containing personal information about California residents.

Consequences of Noncompliance. The statute provides a strong incentive for companies to adopt comprehensive security procedures to limit the vulnerability of their computer systems and to create a plan of action in the event of a security breach. Companies that fail to secure themselves face the cost of notification and the negative impact on image and consumer confidence associated with publicly disclosing a security breach. Moreover, companies face private actions for damages if they fail to notify consumers of a security breach, which could include class actions. The statute also provides that "[a]ny business that violates, proposes to violate, or has violated this title may be enjoined."

"Security Breach" and "Personal Information" Defined. The statute defines "personal information" as an individual’s first name or first initial and last name in combination with any one or more of the following, when either the name or data elements are not encrypted: (a) Social Security number; (b) driver’s license number or California ID card number; (c) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. "Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

The statute broadly defines a "security breach" as an "unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business." The statute does not define the term "unauthorized" or specify what evidence of a breach is necessary to trigger notification obligations. The statute also leaves unresolved whether companies have an affirmative duty to actively monitor and detect security breaches.

Notice Obligations Upon a Breach of Security. A company must notify any California resident whose unencrypted "personal information" was, or was reasonably believed to have been, acquired by an unauthorized person. Although the statute does not specify what the disclosure must entail, it does state that notice must occur in "the most expedient time possible and without unreasonable delay." A company may delay notice if a law enforcement agency "determines" that the notification will impede a criminal investigation.

Notice may be provided in writing, or electronically if the electronic notice is consistent with federal law regarding electronic records and signatures. If a company can demonstrate that the cost of providing notice would exceed $250,000, or that the affected class of persons to be notified exceeds 500,000, or that the company does not have sufficient contact information, then it may instead use "substitute notice." Substitute notice requires the following three actions: (1) e-mail notice when the company has e-mail addresses for the subject persons; plus, (2) conspicuous posting of notice on the company’s Web site, if it maintains one; plus, (3) notification in a major statewide media. Alternatively, a company that maintains its own notification procedures as part of an information security policy that is consistent with the timing requirements of the statute is deemed to be in compliance with the statutory requirements if it notifies the affected consumers in accordance with its policies.

Strategies for Security and Compliance. Companies should review their privacy policies and security procedures for compliance. To start, companies should inventory existing computer systems and electronic files to determine what personal information companies collect and maintain and in what form. Companies may wish to specify notification methods in user agreements or privacy/security statements. At the same time, however, companies must exercise caution not to overstate the actual level of security in place because the Federal Trade Commission actively prosecutes companies for false or misleading security or privacy representations posted on a company’s Web site or elsewhere.

One preventive measure companies may take to avoid liability under the statute is to encrypt computerized data, as the statute applies only to "unencrypted personal information." Companies may also mitigate "unauthorized" access by limiting employee access to computer data to a "need to know" basis using passwords or other techniques, and training employees on the importance of information protection and immediate reporting of breaches. Additionally, new technologies designed to provide detail about network conduct and data-flow patterns may provide companies with critical information about improper data acquisition. Finally, companies that have third-party contracts involving the transfer of computerized personal information should review the contracts to ensure they provide for notification and, where appropriate, the right to require, control, or otherwise participate in reporting security breaches involving the computerized personal information of California consumers.

SB 1 expands the financial privacy rights provided to consumers under the federal Gramm-Leach-Bliley Act ("Gramm-Leach-Bliley"). Under Gramm-Leach-Blily, financial institutions currently have an obligation to provide notice to consumers regarding the institution's use of consumers' nonpublic financial information, and consumers have the right to request their information not be shared with unaffiliated third parties. California SB 1 sets more rigorous standards in regard to both the disclosure obligations of financial institutions and the ability of consumers to prevent their information from being shared with affiliates and third parties.

SB 1 creates a three-tier system where the conditions that must be met for financial institutions to lawfully share "nonpublic personal information" about consumers depends upon the relationship between the institutions. First, the law does not create any restrictions on the ability of financial institutions to exchange information with their wholly owned subsidiaries or on the exchange of information between entities wholly owned by the same parent as long as those entities are (i) regulated by the same functional regulator, and (ii) are engaged in the same line of business. Second, for a financial institution to share information with an affiliate, that is, "any entity that controls, is controlled by, or is under common control with" the institution, it must provide consumers with an annual notification that such information may be disclosed to affiliates and it must provide consumers an opportunity to opt out of the sharing arrangement. Finally, financial institutions will not be allowed to share nonpublic personal information about their clients with nonaffiliated third parties without the written consent of the client authorizing release of his or her information, thus creating a mandatory opt-in system for the release of information to third parties.

Consequences of Noncompliance. Negligent failure to comply with the terms of the statute can lead to civil liability damages of up to $2,500 per violation, for a total of up to $500,000 per occurrence, with the damages set "irrespective of the amount of damages suffered by the consumer as a result of that violation." Knowing and willful violations will likewise be subject to civil damages of up to $2,500 per violation, but there is no limit on the level of damages per occurrence for such violations. In line with the state's strong stance toward protecting against identity theft, all fines can be doubled in instances where violation results in the identity theft of a consumer.

"Financial Institution" and "Nonpublic Personal Information" Defined. The definition of "financial institution" is taken largely from Section 1843(k) of Section 12 of the United States Code ("Section 1843(k)") with the additional qualifier that the institution must be "doing business in" the state of California. Section 1843(k) provides a range of factors that should be considered in determining whether a company is classified as a financial institution, with a focus on whether the institution is engaged in activities such as "lending…or safeguarding money or securities," "insuring…against loss," "providing financial, investment, or economic advisory services," and "underwriting, dealing in, or making a market in securities." Companies "primarily engaged in providing hardware, software, or interactive services," as long as they are not also engaged in other activities that would render them a financial institution, are not financial institutions for purposes of SB 1.

"Nonpublic personal information" is defined as "personally identifiable financial information" obtained by a financial institution. "Personally identifiable financial information" is defined as "information (1) that a consumer provides to a financial institution to obtain a product or service from the financial institution, (2) about a consumer resulting from any transaction involving a product or service between the financial institution and a consumer, or (3) that the financial institution otherwise obtains about a consumer in connection with providing a product or service to that consumer." The definition of "nonpublic personal information" explicitly excludes information that the financial institution could reasonably believe is available to the general public.

Compliance Issues. Both the opt-in and the opt-out sections of the law include requirements as to the form of communication with the intent of making it easy for consumers to understand and exercise their rights under the statute. For example, the notification regarding the release of information to affiliates must, among other things, be a separate document conspicuously titled "Important Privacy Choices For Consumers," it must use clear English, and it must provide "choice boxes" that enable consumers to check off their privacy preferences. A model form is provided, and institutions that use the model are presumed to be in compliance with the form requirements. The notice requirement can also be satisfied via electronic notification if certain conditions are met.

To further ensure that consumers are free to exercise the privacy rights created by SB 1, the statute contains a nondiscrimination requirement that makes it unlawful for companies to discriminate against consumers who exercise their right to opt out of affiliate sharing or who do not approve the release of their information to third parties.

The new law goes into effect July 1, 2004. However, financial institutions may continue to perform on contractual obligations requiring disclosure of nonpublic personal information to third parties until January 1, 2005 for all contracts entered into on or before January 1, 2004.

Questionable Legal Authority. The legality of SB 1 remains an open question, and suits challenging the right of California to adopt such legislation are expected. Gramm-Leach-Bliley, identified by the California legislature as the federal law pursuant to which they adopted SB 1, allows states to adopt more stringent consumer protection measures than those adopted by Congress. Specifically, Gramm-Leach-Bliley states that "[f]or purposes of this section [on privacy and the disclosure of nonpublic personal information] a State statute…is not inconsistent with the provisions of this subtitle if the protection such statute…affords any person is greater than the protection provided" hereunder. 15 U.S.C. § 6807(b). The federal Fair Credit Reporting Act, in contrast, largely proscribes the authority of the states to create more rigorous standards than those set by Congress in this area, and would likely preempt major sections of SB 1. 15 U.S.C. § 1681t (b). The relevant provision of the Fair Credit Reporting Act is set to expire at the end of 2003, but legislation is pending to make it permanent. What this means for the fate of SB 1 remains an open question.

The recent enactment of SB 1386 and SB 1 suggests California is continuing to lead the nation in efforts to protect consumer rights. This creates unique challenges for national and global companies doing business in California or with California residents.