Identity Theft:
Addressing the
Problem in California
Joanne McNabb, Chief
CA Office of Privacy
Protection
Computers, Freedom and Privacy
April 23, 2004
Outline of Presentation
Office of Privacy Protection
 CA Law on Notification of Security
Breach (SB 1386)
 CA ID Theft Laws and FACTA

2
Office of Privacy Protection
Mission

Promote and protect the privacy
interests of individuals in a manner
consistent with the California
Constitution.

Identify consumer privacy problems
and facilitate development of fair
information practices.
3
Office of Privacy Protection
Functions
Offer assistance to consumers
 Provide information & education
 Coordinate with law enforcement
 Recommend best practices to
protect individual privacy

4
U
ns
ol
ic
ite
d
l
ic
al
2%
M
ed
5%
O
PP
5%
er
al
Pr
iv
ac
y
er
ci
a
an
6%
G
en
O
th
g
tin
s
10%
Fi
n
ke
ic
e
t
ef
20%
m
ar
Pr
ac
t
Th
70%
Te
le
Pr
iv
ac
y
ID
Why People Contact OPP
69%
60%
50%
40%
30%
12%
2%
1%
0%
5
The CA Constitution &
Federal Preemption
California Constitution, Article 3, § 3.5:
An administrative agency…has no power…
(c) To declare a statute unenforceable, or
to refuse to enforce a statute on the basis
that federal law or federal regulations
prohibit the enforcement of such statute
unless an appellate court has made a
determination that the enforcement of
such statute is prohibited by federal law
or federal regulations.
6
CA Identity Theft & Data
Protection Laws in FACTA

Blocking of ID
theft info in credit
files


CA Civil Code §§ 1785.16(k),
1785.16.1,
1785.16.3,1785.20.3(b) —
FCRA § 605B
Victim access to
documents on
fraudulent
accounts


Credit card
number truncation


CA Civil Code § 1747.9 —
FCRA § 605(g)
Destruction of
customer records

CA Civil Code § 1798.81 —
FCRA § 628
CA Penal Code § 530.8 —
FCRA § 609(e)
7
CA Identity Theft Laws Not in
FACTA

Right of victim to get
police report



CA Penal Code § 530.6
Rights of “criminal ID
theft” victim

CA Civil Code § 1798.93
Right of victim to 12
free credit reports in
year


CA Penal Code §§ 530.6530.7
Right of victim to
bring action vs.
claimant


Right to freeze credit
files


CA Civil Code § 1785.15.3(b)
CA Civil Code § 1785.11.2 et
seq.
Burden of proof on
debt collector in ID
theft

CA Civil Code § 1788.18
8
CA Data Protection Laws
Not in FACTA

Ban on public display
of SSNs



CA Civil Code § 1798.85 et
seq.
Ban on recording
personal info on credit
card transactions

CA Civil Code § 1725
Limits on use of
personal info swiped
from DL


CA Civil Code § 1747.8
Ban on recording
credit card # on
checks


Secure mailing of
“convenience checks”


CA Civil Code § 1798.90
CA Financial Code § 22342(d)
Requirement to notify
of security breach

CA Civil Code §§ 1798.29,
1798.82 et seq.
9
Contacts on ID Theft &
Security Breaches
3,500
3,054
3,000
2,500
2,000
1,500
836
1,000
345
500
0
FY 03/04
thru 4/14/04
FY 02/03
FY 01/02
10
CA Notice of Security
Breach Law
Applies to person, company, state
agency
 Must notify people “in the most
expedient time possible and without
unreasonable delay” if personal
information is acquired by
unauthorized person

Civil Code §§ 1798.29, 1798.82 & 1798.84
11
Notice of Security Breach
Law


Applies to unencrypted, computerized
data including personal info
Personal info defined:

First name or initial and last name, plus
• SSN,
• DL#, or
• financial account number and any PW.

Time allowed for


internal analysis to determine scope, and
law enforcement investigation
12
Notice of Security Breach
Law

Notice may be:
Written, or
 Electronic, or
 Substitute if >$250,000 or
>500,000 people


Substitute notice must be all of:
Email when agency has addresses
 Web site posting
 Major statewide media

13
The Notification Test
1.
2.
3.
4.
5.
Was there a "breach of the security" of
the data as defined?
Does the data include “personal
information" as defined?
Does that "personal information" relate
to a California resident?
Was the "personal information"
unencrypted?
Was the "personal information" acquired,
or reasonably believed to have been
acquired, by an unauthorized person?
14
Examples of Incidents




Hacking into server containing file w/
names & SSNs
Stolen computers w/ names & SSNs
Documents containing names & SSNs
mailed to wrong people
Server hijacked for use as relay to
download music or to send spam (server
has files with names, SSNs, etc.)
15
Best Practices Document

“Recommended Practices on
Notification of Security Breach
Involving Personal Information”
Protection & Prevention
 Preparation for Notification
 Notification (with sample letters)


Available on Web site on
Recommended Practices page
16
Contact Information
Joanne McNabb, Chief
400 R Street, Suite 3080
Sacramento, CA 95814
916-322-4420
joanne_mcnabb@dca.ca.gov
www.privacy.ca.gov
CFP, April 23, 2004