New California Privacy Law to Require Companies to Publicly Disclose Security Breaches in Unencrypted Databases Holding Personal Information
A new California privacy law taking effect on July 1, 2003, will require companies operating in California to assess the security of their computer databases containing personal information. The new law requires businesses that maintain personal information on computer systems to disclose any unauthorized access to that information. The measure is intended to provide consumers with notice of possible identity theft and other potential misuse of personal information when a hacker gains unauthorized access to a database containing personal information. The new requirement, of course, provides an incentive for companies to consider and address possible data security holes that could result in identity theft.
Disclosure of Security Breaches
The law requires all businesses that own, license or maintain any “computerized data” that contains “personal information” to disclose any breach of the security of such database to any California resident whose personal information was, or is reasonably believed to have been, acquired by a hacker. There is no specific timeframe within which notice to the affected party must be given, but it must be made in the “most expedient” manner possible and without unreasonable delay. A person injured by a violation of these new rules is authorized to sue the business for damages or for an injunction.
Under this new measure a breach of security occurs when computerized data is acquired without proper authorization in a way that compromises the security, confidentiality, or integrity of personal information maintained by the business. This does not include situations where employees of the business acquire personal information in good faith for the purposes of fulfilling business activities.
“Personal information,” as used in this context, means an individual’s first name, or first initial, and last name in combination with any of the following data elements: (1) social security number; (2) driver’s license number or California I.D. card number; or (3) a financial account number, credit card number or debit card number (when coupled with the account access code such that a hacker could gain unauthorized access to individual financial accounts).
Safe Harbor When Data Is Encrypted
Significantly, the measure also establishes a safe harbor for companies that encrypt the personal information held in their databases. This means that if a company maintains both the name and the data elements in an encrypted format the company would not be required to disclose any breach of databases holding personal information. The measure therefore establishes a means by which firms can shield themselves from the obligation to publicly disclose any breach of a database; although it does not define or set a standard for encryption.
Ambiguities Remain
In addition, the measure does not set forth clear standards to determine when a “breach of security” actually occurs. For instance, the measure requires a company to make a disclosure any time that a breach is reasonably suspected. Breach is defined generally as the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.” The interpretation of this obligation will obviously need to be made to meet the obligation of the statute, without creating exaggerated consumer fears or undermining investor confidence through unnecessary disclosures of attempted hacks or similar events that do not qualify as breaches.
Conclusion
Unlike many other privacy laws, which focus on prohibiting certain uses of personally identifiable information, this broad, sweeping measure imposes an affirmative obligation on companies to ensure the security of databases containing such information. Firms that maintain personal information are faced with the choice of either encrypting such information or facing the requirement to disclose any breach of databases containing personal information. This new directive will therefore force businesses operating in California that maintain personal information on a computer database to carefully assess the security of these databases.
If you have further questions or concerns about this new law, or any other privacy issues, please contact us.