Marc J. Zwillinger is the chair of the Information Security and Anti-Piracy practice group at Sonnenschein Nath & Rosenthal and is a former cybercrime prosecutor with DOJ. He provides advice and counsel on preventing, minimizing and recovering losses from cybercrime to some of the nation's leading financial institutions and consumer companies. Marc can be reached at firstname.lastname@example.org.
As most corporate information security personnel are well aware, California's first-of-its-kind information security legislation (SB 1386) -- requiring entities or individuals who do business in California to notify California residents whenever their unencrypted personal information is reasonably believed to have been compromised -- goes into effect on July 1, 2003. The novel notification required by the new law must occur "in the most expedient time possible and without unreasonable delay." Customers injured by violations of the statute are authorized to bring private lawsuits for damages. Because most corporations do not routinely segregate data related to California residents from other customer or employee data, this legislation may have a significant effect on how companies across the United States handle information security issues. This article discusses some of the key provisions of the new legislation and offers specific recommendations for implementing information security protocols to comply with the new legislation in a manner designed to protect corporate interests.
The scope of the legislation
The new legislation applies to California state agencies, as well as any person or business that both conducts business in California and owns or licenses computerized data ("covered entities"). Although the statute only requires covered entities to notify residents of California and not all customers or employees of a breach, the security breach need not occur in California for the statute to apply. Accordingly, if an entity that does business in California suffers a computer intrusion in New York, the California law would apply if personal information pertaining to California residents was compromised.
The California law applies whenever a covered entity determines or reasonably believes that there has been a breach of the security of the system containing such information and that unencrypted personal information of a California resident has been acquired by an unauthorized person (See Cal. Civ. Code § 1798.82 (a).). A "breach of the security of the system" is defined as "unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business"(See id. at § 1798.82 (d).).
The statute provides no specific guidance as to who would be considered an unauthorized person. By defining the trigger for notification as acquisition by an unauthorized person, however, and not information that was acquired as a result of unauthorized conduct, the law does not necessarily require a company to disclose every instance of employee misconduct. That is, if a company employee who is normally authorized to work with certain customer information, violates an internal policy, gaining access to additional customer information, such abuse would not necessarily require disclosure. This analysis would differ, however, if the company knew that the internal employee was distributing the information to outsiders.
For the purposes of the California law, "personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements when either the name or the data elements are not encrypted: (1) social security number, (2) driver's license number or California ID card number or (3) account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual's financial account. "Personal information" does not include publicly available information (See id. at § 1798.82 (e).).
Nothing in the statute limits the covered data to information about clients or customers. Accordingly, employee personnel data appears to be covered by the statute. Notably, however, the statute provides a civil cause of action only to customers (See id. at § 1798.84 (a).). For many types of entities, however, this distinction is not significant, as some employees may also be customers. In a pure employment situation, it does not appear that California employees could bring a civil action for a breach of the notification requirement.
The notice requirements
Notice may be provided by (1) written notice, (2) electronic notice (if consistent with provisions regarding electronic notice and signature set forth in section 7001 of Title 15 of the U.S. Code), (3) substitute notice, if the person or business demonstrates that the cost of providing notice exceeds $250,000, or that the affected class of persons to be notified exceeds 500,000 (See id. at § 1798.82(g).). The substitute notice provisions are quite onerous and require a company to do all of the following: (1) notify the customer by e-mail, (2) make a conspicuous posting of the notice on the company's Web site and (3) provide notification to major statewide media. Notably, however, notification in compliance with the internal notification policies of a business is acceptable if that business maintains its own notification procedures as part of an information security policy and the timing of such notification is consistent with California law (See id. at § 1798.82(g)(3).). The law also permits the notification to be temporarily delayed to determine the scope of the breach and restore system integrity or if a law enforcement agency determines that immediate disclosure would impede an ongoing criminal investigation (See id. at § 1798.82(a).).
Read part two of Compliance with California's new mandatory disclosure law for strategies for compliance.