This column is continued from part one of Compliance with California's new mandatory disclosure law.
Strategies for Compliance
Identify key systems containing personal information, and activate and enhance logging capabilities on such systems and/or deploy new technology designed to provide more forensic detail about conduct on networks. The statute is triggered when an entity knows or reasonably believes that unencrypted personal information of a California resident has been compromised. Unfortunately, the statute provides no guidance or examples to help determine what set of facts would give rise to a "reasonable belief" of an unauthorized acquisition of personal information. Therefore, corporations should first consider whether they have individual systems upon which the following information is stored in combination with a person's name: (1) social security number, (2) driver's license number or California ID card number or (3) account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual's financial account.
If there are systems that contain such information, any intrusion into such systems (or combination of systems from which the data can be pieced together) should be examined to determine if the intruder was able to obtain access to the files containing such information. If the intruder actually obtained the information (i.e., downloaded the files or stole the hard drive from the computers), the California statute would be triggered. If the intruder obtained root access to the system containing relevant files, but there is no way to determine whether the files were accessed, a conservative approach requires acting as if the statute had been triggered. In such cases, immediate and detailed forensic examination may be critical to taking a more aggressive approach, because the results of such examination could rule out the theft of personal information. Storing either the individual's name or the relevant personal information in encrypted form would also obviate the need for notice.
Prospectively, a company should consider employing measures to make more reliable the determination of whether personal information has been acquired by an unauthorized person. In addition to developing systems to track network access, existing activity and process logging capabilities can be turned up to their maximum settings and maintained remotely (on a system other than the one being logged) to ensure secure detailed recordation of activities on computers and systems that store or process unencrypted personal information. (For discussion of the tweaks necessary to enhance the security and comprehensiveness of logging and passive network surveillance, see, e.g, Kevin J. Mandia, "Incident Response: Investigating Computer Crime," pp. 39-50, 198-222.) In addition, now that encryption technology has become more seamlessly integrated into standard applications, the time may be ripe to revisit the ideas of storing data in encrypted form.
Amend incident response plan to require notification of counsel's office or incident response team when breach of key systems has been detected. Because a company will likely be deemed to have been on notice when an intrusion or unauthorized use of the key systems has been detected by individuals in the information security or IT department, it is important that corporations ensure that they have incident response plans that provide for timely reporting of incidents to a person or group responsible for making notification decisions.
Adopt or revise corporate incident response policies to provide a notification plan (at least California residents) on terms more flexible than the substitute notice provisions of Section §1798.82(g)(3). The two key exceptions to the formal statutory notification requirements are: (1) where "a person or business maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this part… if the person or business notifies subject persons in accordance with its policies in the event of a breach of security of the system," and (2) where a law enforcement agency determines that notification will impede a criminal investigation.
The first exception is the most useful in avoiding the strict notification regime of the California statute, because the California statute gives wide latitude to those companies that have an organizational incident response plan that includes some form of notification to customers. Such a plan must still comport with the timing requirements of the statute, which requires notice within "the most expedient time possible and without unreasonable delay, consistent with legitimate needs of law enforcement . . . or any measure necessary to determine the scope of the breach and restore the reasonable integrity of the data system." (Although the statute does not provide any specific time period for providing notice, the incident that sparked the legislation involved the failure of a California state agency to notify state employees of a large-scale theft of personal information for more than two weeks after the breach was discovered.) Nevertheless, an internal plan provides far more flexibility on the nature and scope of the notice and more certainty with regard to timing issues. For example, the thresholds for providing "substitute notice" under the California statute are quite high -- before substitute notice can be invoked, the costs of providing direct notice must exceed $250,000, or more than 500,000 people must be affected by the incident. Even when invoked, the substitute notice provisions are onerous, requiring notice by e-mail and Web site posting and notification to major statewide media.
If a corporation adopts its own notification procedures as part of an information security plan, however, it can set its own threshold as to when direct notice is required. Similarly, a corporation's substitute notice plan need not involve all three mandatory aspects of the California statute. According to the statute, the only requirement placed on a corporation's own notification plan is that it comport with the timing requirement of the statute.
Amend or draft incident response plan to contain mandatory period for investigation and remediation before decision-making with regard to third-party notifications. An internal notification plan may provide additional flexibility because such a plan can reasonably contain a defined pre-notification investigation and remediation period to "determine the scope of the breach and restore the reasonable integrity of the data system." Such a mandatory pre-reporting period is advisable regardless of the California statute as it provides time for the corporation to determine the nature and extent of any authorized activity so that the company can make informed and thoughtful decisions on issues such as: (1) the scope of necessary forensic examination; (2) the nature of remediation efforts; (3) the need to notify customers, shareholders and other third-parties; and (4) the desirability of making a law enforcement referral or pursuing civil enforcement and recovery. While the length of such period may vary depending on the nature of the suspected unauthorized activity, setting a minimum time period for evaluation and investigation will allow the corporation to pause for informed decision-making before committing to the irreversible step of notification.
Where notice is ultimately required, either by a corporation's own plan or by operation of California law, a corporation seeking to avoid providing notice may be able to defer notice at the request of a law enforcement agency. Although the investigating agency must first make a determination that the notification would interfere with the criminal investigation, many law enforcement agencies frequently provide such advice in computer intrusion cases, and the agency's standard operating procedures should be ascertainable through a pre-referral call with the agency.
Review all third-party contracts involving the transfer of sensitive personal data to ensure that such contracts contain information security provisions, including mandatory notification, rights to investigate, and right to participate in or control reporting decisions involving customer data. The California law applies to all businesses that own or license computerized data. The statute provides no exception for circumstances where the owned or licensed data is in the possession or control of a third-party or subcontractor at the time of the unauthorized acquisition. Accordingly, corporations should take measures to ensure that outsourcing contracts -- in addition to containing representations and warranties regarding information security issues (Such provisions are required in certain instances by the Gramm-Leach-Bliley Act and its implementing regulations.) -- also contain provisions requiring mandatory notification of suspected breaches, thus allowing the corporation to participate in the investigation into such incidents and to potentially control any decisions with regard to external reporting.