Identity Theft: Addressing the Problem in California Joanne McNabb, Chief CA Office of Privacy Protection Computers, Freedom and Privacy April 23, 2004 Outline of Presentation Office of Privacy Protection CA Law on Notification of Security Breach (SB 1386) CA ID Theft Laws and FACTA 2 Office of Privacy Protection Mission Promote and protect the privacy interests of individuals in a manner consistent with the California Constitution. Identify consumer privacy problems and facilitate development of fair information practices. 3 Office of Privacy Protection Functions Offer assistance to consumers Provide information & education Coordinate with law enforcement Recommend best practices to protect individual privacy 4 U ns ol ic ite d l ic al 2% M ed 5% O PP 5% er al Pr iv ac y er ci a an 6% G en O th g tin s 10% Fi n ke ic e t ef 20% m ar Pr ac t Th 70% Te le Pr iv ac y ID Why People Contact OPP 69% 60% 50% 40% 30% 12% 2% 1% 0% 5 The CA Constitution & Federal Preemption California Constitution, Article 3, § 3.5: An administrative agency…has no power… (c) To declare a statute unenforceable, or to refuse to enforce a statute on the basis that federal law or federal regulations prohibit the enforcement of such statute unless an appellate court has made a determination that the enforcement of such statute is prohibited by federal law or federal regulations. 6 CA Identity Theft & Data Protection Laws in FACTA Blocking of ID theft info in credit files CA Civil Code §§ 1785.16(k), 1785.16.1, 1785.16.3,1785.20.3(b) — FCRA § 605B Victim access to documents on fraudulent accounts Credit card number truncation CA Civil Code § 1747.9 — FCRA § 605(g) Destruction of customer records CA Civil Code § 1798.81 — FCRA § 628 CA Penal Code § 530.8 — FCRA § 609(e) 7 CA Identity Theft Laws Not in FACTA Right of victim to get police report CA Penal Code § 530.6 Rights of “criminal ID theft” victim CA Civil Code § 1798.93 Right of victim to 12 free credit reports in year CA Penal Code §§ 530.6530.7 Right of victim to bring action vs. claimant Right to freeze credit files CA Civil Code § 1785.15.3(b) CA Civil Code § 1785.11.2 et seq. Burden of proof on debt collector in ID theft CA Civil Code § 1788.18 8 CA Data Protection Laws Not in FACTA Ban on public display of SSNs CA Civil Code § 1798.85 et seq. Ban on recording personal info on credit card transactions CA Civil Code § 1725 Limits on use of personal info swiped from DL CA Civil Code § 1747.8 Ban on recording credit card # on checks Secure mailing of “convenience checks” CA Civil Code § 1798.90 CA Financial Code § 22342(d) Requirement to notify of security breach CA Civil Code §§ 1798.29, 1798.82 et seq. 9 Contacts on ID Theft & Security Breaches 3,500 3,054 3,000 2,500 2,000 1,500 836 1,000 345 500 0 FY 03/04 thru 4/14/04 FY 02/03 FY 01/02 10 CA Notice of Security Breach Law Applies to person, company, state agency Must notify people “in the most expedient time possible and without unreasonable delay” if personal information is acquired by unauthorized person Civil Code §§ 1798.29, 1798.82 & 1798.84 11 Notice of Security Breach Law Applies to unencrypted, computerized data including personal info Personal info defined: First name or initial and last name, plus • SSN, • DL#, or • financial account number and any PW. Time allowed for internal analysis to determine scope, and law enforcement investigation 12 Notice of Security Breach Law Notice may be: Written, or Electronic, or Substitute if >$250,000 or >500,000 people Substitute notice must be all of: Email when agency has addresses Web site posting Major statewide media 13 The Notification Test 1. 2. 3. 4. 5. Was there a "breach of the security" of the data as defined? Does the data include “personal information" as defined? Does that "personal information" relate to a California resident? Was the "personal information" unencrypted? Was the "personal information" acquired, or reasonably believed to have been acquired, by an unauthorized person? 14 Examples of Incidents Hacking into server containing file w/ names & SSNs Stolen computers w/ names & SSNs Documents containing names & SSNs mailed to wrong people Server hijacked for use as relay to download music or to send spam (server has files with names, SSNs, etc.) 15 Best Practices Document “Recommended Practices on Notification of Security Breach Involving Personal Information” Protection & Prevention Preparation for Notification Notification (with sample letters) Available on Web site on Recommended Practices page 16 Contact Information Joanne McNabb, Chief 400 R Street, Suite 3080 Sacramento, CA 95814 916-322-4420 joanne_mcnabb@dca.ca.gov www.privacy.ca.gov CFP, April 23, 2004