Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

New Law Requires Businesses in California to Report Electronic Break-Ins

advertisement 
TECHNOLOGY & INTELLECTUAL PROPERTY DEPARTMENT E-NEWS — JULY 3, 2003
New Law Requires Businesses in California to
Report Electronic Break-Ins
By Polly Dinkel and Heather Kirlin
In the wake of a security breach at one of its own data centers, the State of California has enacted
legislation that requires businesses to disclose computer security breaches. The stimulus for the
legislation occurred in April 2002, when California’s Steven P. Teale data center in Rancho Cordova
suffered a security breach of the state’s payroll application system, resulting in the compromise of
confidential information, including names, social security numbers, and payroll information, of over
250,000 state employees. Although the breach was discovered by the State Controller’s office on May
7, the affected employees and public were not notified about the attack until May 24, thereby leaving
the state employees’ information open to misuse for weeks.
Prompted by outrage over this incident, the California legislature passed S.B. 1386, which was signed
into law by Governor Davis on September 25, 2002. The new law requires persons or companies
conducting business in California to promptly disclose any breach of a network security system to any
resident of California whose unencrypted personal information was, or is reasonably believed to have
been, acquired by an unauthorized person. The law, which takes effect July 1, 2003, is the first of its
kind in the country.
The law covers all sizes and types of businesses, with no exemptions for small businesses or non-profit
organizations. Moreover, the law covers all companies “conducting business in California,” not just
California corporations or other entities registered with the state. Because the term “conducting
business in California” is not defined by the statute, it is possible that activity as minimal as having one
employee in the state could subject a company to its requirements.
The law defines a “breach” of a security system as the unauthorized acquisition of computerized data
that compromises the security, confidentiality, or integrity of personal information. “Personal
information” is defined as an individual’s first name or first initial and last name in combination with one
or more of the following: (1) social security number; (2) driver’s license number or California
Identification Card number; or (3) account number, credit card or debit card number, in combination
with any password that would permit access to an individual’s financial account.
If a security breach of personal information occurs, the business must provide notice to any California
resident whose unencrypted personal information was, or is reasonably believed to have been,
acquired by an unauthorized person. The notice must be made following discovery or notification of the
breach “in the most expedient time possible and without unreasonable delay,” consistent with any
1
measures necessary to determine the scope of the breach and restore the reasonable integrity of the
data system. The required notification may be delayed if a law enforcement agency determines that
the notification would impede a criminal investigation.
The statute states that notice may be provided either by written notice or by electronic notice, if the
electronic notice is consistent with the federal Electronic Signatures in Global and National Commerce
Act of 2000 (known as “E-SIGN”). Alternatively, the business may opt to provide “substitute notice” if it
can show that the cost of providing notice in one of these two manners would exceed $250,000, that
the affected class of subject persons to be notified exceeds 500,000, or that insufficient contact
information is available. Substitute notice requires that the business notify its customers by doing all of
the following: (1) e-mailing notice when it has an e-mail address for affected persons; (2)
conspicuously posting the notice on its web site (if it maintains one); and (3) notifying major statewide
media.
There are two notable exceptions to the statute’s demands. First, the law only applies to
breaches involving “unencrypted personal information.” While the statute does not define what is
meant by “unencrypted,” businesses that use some form of encryption to protect personal information
can probably take the position that they are exempt from the obligation to provide notice of a security
breach. Second, with regard to its notification procedures, businesses that maintain their own
notification procedures that are comparable to the statute’s requirements will be deemed in compliance
with the statute’s notification provisions.
Failure to comply with the law may result in a consumer action for an injunction or damages.
2
Related documents
Policy No. 3.1009 TITLE: Louisiana Security Breach Notification Law
Policy No. 3.1009 TITLE: Louisiana Security Breach Notification Law
The legal obligations for leaders - Marta Tomlinson
The legal obligations for leaders - Marta Tomlinson
High Court case Citation Court Procedural History Facts Issue
High Court case Citation Court Procedural History Facts Issue
University Policy: Data Breach Notification Policy
University Policy: Data Breach Notification Policy
Interested Industry Participant Registration Form
Interested Industry Participant Registration Form
2015 ITI Data Breach Notification Principles
2015 ITI Data Breach Notification Principles
Download
advertisement