By Mary J. Hildebrand and Jacqueline Klosek
Recent amendments to California’s Civil Code will require companies to notify their customers of certain computer security breaches. Significantly, the law, referred to as S.B. 1386, will apply to any online business having customers in California – even if the business itself is not based in California. Accordingly, many entities that conduct online business in California are likely to be affected by this new law.
Pursuant to the S.B. 1386, which will enter into force on July 1, 2003, all agencies, persons or businesses that conduct online business in California and that own or license computerized data containing personal information will be required to report breaches in the security of such data to any resident of California whose personal information has been compromised as a result of the breach.
Notification Requirements
In order to trigger the notification requirements under the law, the security breach must involve personal information, which is defined as an individual’s first name or first initial and last name combined with one or more of the following pieces of data: (i) social security number; (ii) driver’s license number or California Identification Card number; or (iii) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. Furthermore, the notification requirements will only be triggered in situations in which either the name or the additional data elements are not encrypted.
Where an agency, person or business is processing such personal information and suffers a breach of the security of its systems, it must notify the affected customers in "the most expedient time possible and without unreasonable delay." Significantly, the new law defines a breach of security broadly as an "unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information maintained by the agency, person or business."
Provision of Notification
Individuals or entities required to provide such notice may do so in writing or electronically. However, all electronic notices must be in compliance with the federal Electronic Signatures in Global and National Commerce Act of 2000. Notwithstanding the foregoing, in instances where (i) the cost of providing the requisite notice would exceed $250,000, (ii) the number of people to be notified exceeds 500,000, or (iii) there is no sufficient contact information available, the affected individual or entity may provide substitute notice, which would consist of providing all of the following: (i) e-mail notice if e-mail addresses are available; (ii) Web site notice provided there is a Web site that can be used to post such notice; and (iii) notification to major statewide media.
Penalties
Residents of California may enforce the law through civil actions to recover damages. Furthermore, businesses that violate the requirements of the law may be enjoined.
Goodwin Procter LLP is one of the nation's leading law firms, with a team of 650 attorneys and offices in Boston, New York and Washington, D.C. The firm combines in-depth legal knowledge with practical business experience to deliver innovative solutions to complex legal problems. We provide litigation, corporate law and real estate services to clients ranging from start-up companies to Fortune 500 multinationals, with a focus on matters involving private equity, technology companies, real estate capital markets, financial services, intellectual property and products liability.
This article, which may be considered advertising under the ethical rules of certain jurisdictions, is provided with the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin Procter LLP or its attorneys. (c) 2003 Goodwin Procter LLP. All rights reserved.