Data Breach - What You Need to Know Now: California's Data Security Breach Notification Law
Security of personal information is rapidly becoming a major challenge (and a source of potentially significant exposure) for businesses of all shapes and sizes. Indeed, you have undoubtedly received an email or a letter notifying you that your personal information may have been accessed illegally. And the frequency of high profile breaches continue to increase. For example, in April 2011, Sony’s PlayStation Network was hacked and the perpetrators were able to gain access to the names, passwords, credit card numbers, and addresses of 77 million users and in March 2011, RSA (the maker of SecureID tokens which are used by 25,000 businesses) was the victim of hackers who stole information and cloned the tokens.
According to the Privacy Rights Clearing House, a nonprofit consumer organization, since 2005 at least 500 million sensitive records have been compromised. The U.S. Department of Justice reports that over 3.5 million consumers are the subject of identity theft each year, while the Federal Trade Commission estimates that number to be closer to nine million. The time and dollar loss resulting from such breaches is substantial and rising. According to the Ponemon Institute of Michigan, the average cost to a company per data security breach is $4.8 million. While many businesses have taken self regulated steps toward protecting the collection and processing of personal information, state governments have also jumped into the action to protect the consumer and help the public remain confident in engaging in electronic transactions.
In 2003, the State of California led the way by enacting the first data security breach notification law, and 46 of the 50 states have followed (Alabama, Kentucky, New Mexico and South Dakota do not yet have data security breach notification laws). However, California’s original law did not specify the types of information that had to be disclosed in the notification and as a result, many consumers who received notices did not understand what the notice was telling them or how to take action. To address these concerns, on August 31, 2011, California Governor, Jerry Brown, signed into law SB-24, a bill that amends the state’s data breach notification law to further define what businesses must disclose in the notification letter if a data security breach occurs.
The updated law requires that the breach notification letters include information such as the type of personal information exposed, a description of how the security breach happened, the time of the security breach and the toll free numbers and addresses of major credit reporting agencies in California. Furthermore, businesses are now explicitly required to send the notification letters “in the most expedient time possible and without unreasonable delay.” Finally, the updated law requires the business who experienced a data security breach to notify the state attorney general in the event that 500 or more people are affected by the breach. These new requirements are intended to assist individuals in understanding the breach and to empower them with the tools necessary to take action to protect their identities. While there are no explicit penalties for failing to comply with this law, the attorney general may prosecute violations and individuals can sue (as an uncertified class action suit) as an unfair business practice under California’s Business and Professions Code.
If you do business in California or you maintain personal information of California residents, you are required to comply with this law. On a broader scale, there is ample indication that other states are likely to again follow California’s lead.