California recently entered new territory in legislative responses to the growing problem of identity theft. A new law requires a business to notify any California resident whose personal information may have been compromised by a breach of its computer security. The legislature was acting, at least in part, in response to an incident in which hackers got the personal information of over a quarter of a million state employees in an attack on a government database. A company that violates the notification requirements is subject to a suit for damages and civil penalties.
The measure’s impact would be significant even if it were confined to California, but the law likely will have much more far-reaching effects. It applies to any company that conducts business in California. It may take court decisions to sort out what constitutes doing business in California, but any business having contacts with California customers should be aware of this law. Moreover, although the law only speaks to the interests of California residents, a case can be made for notifying any customers affected by a breach. Otherwise, customers in other states who are the victims of identity theft might argue that a company was negligent in not extending them the same treatment as Californians.
The disclosure requirements apply only to unauthorized access to a person’s name, plus either their Social Security number, driver’s license number, or information from a financial account. Encrypted personal information or information in public records is outside of the law, but it is up to the business to determine what personal information in its possession is subject to the law and whether such information has been acquired by an unauthorized person. This places a premium on having adequate security systems and procedures in place to detect an intrusion and respond to it.
Businesses with customers in California are well advised to put into place incident response policies and procedures even before experiencing any breach of a security system. Not only will this allow the kind of prompt response required by the law, but another provision states that following such a policy for notifying affected persons will be treated as compliance with the law’s notification requirements. If a business does not already have its own notification procedures in an information security policy, it must give the notice by methods set forth in the law.