Mellisa C. Marsh, Esq.
 
Home | About Us | Practice Areas | Articles | Contact Us | Directions| Links | Disclaimer | Copyright | Privacy

Corporate Client Bulletin

Important Disclaimer

June 2003

California Law Requires Prompt Notice of a Security Breach – Civil Code § 1798.82
Prepared By: Melissa C. Marsh

California’s security breach notification law, codified in Civil Code §§ 1798.82-1798.84, which becomes effective July 1, 2003 requires companies doing business in California or with California residents to notify residents of security breaches and unauthorized access to their unencrypted personal information. The notification requirements are triggered when, due to a security breach, unencrypted data is revealed that includes a California resident's name paired with one of the following pieces of personal information: (1) social security number; (2) driver's license or California Identification Card number; or (3) bank account number or credit/debit card number, if in combination with any kind of password or PIN. The notification requirements apply to all businesses that conduct business in California, even if the business is incorporated elsewhere and even if the data itself is stored outside California. Companies that fail to properly safeguard personal information, or to notify California consumers of intrusions, can be sued for damages and injunctive relief in civil court. Since, the law exempts personal information that a company has stored in an encrypted format, encrypting data may be the easiest way to comply.

If a breach occurs and the personal information is not encrypted, the business must notify "in the most expedient time possible and without unreasonable delay" any and all California residents whose personal information was acquired, or is believed to have been acquired. The law require prompt notice without unreasonable delay unless: (1) a law enforcement agency determines that notification would impede a criminal investigation or (2) the company needs additional time to determine the scope of the breach and restore integrity to their data system.

Notice to California residents can be written, electronic if in compliance with the federal E-SIGN Act, or in accordance with a pre-existing information security policy. "Substitute notice" is allowed only if the cost of providing notice exceeds $250,000, if more than 500,000 people must be notified, or if the business cannot locate all of the affected individuals. Substitute notice” consists of: (i) notice by e-mail; (ii) notice on the party’s Website; and (iii) "notification to major statewide media…"

Businesses need to have systems and procedures in place that dictate how they will effectively and legally respond to a security breach. All business should:

  1. Assess the feasibility of encrypting all personal information;

  2. Create a new security policy with notification procedures in the event of a breach, and communicate the new policies and procedures to employees;

  3. Amend their online terms of use and privacy policy to reflect the new policies and procedures in the event of a security breach and provide for arbitration, and/or a limitation on liability, in the event of a security breach;

  4. Review their contracts with third parties who have access to the company's customer data to ensure they have sufficient security measures in place (e.g., required encryption), identified procedures to respond to a security breach (mandatory notification provisions), indemnity provisions, and insurance coverage for claims resulting from security breaches; and

  5. Review insurance policies to determine whether there is coverage for claims related to security breaches, or theft of electronic data.

© Melissa C. Marsh 2003 All Rights Reserved.

If you have any questions, or would like further information, please e-mail us at
mmarsh@yourlegalcorner.com or call: 323-655-1002.

Disclaimer: This article has been prepared by Melissa C. Marsh for general informational purposes only and does not constitute legal advice. Readers should not rely or act upon the information contained in this article for any purpose without seeking legal advice from a local licensed attorney in your state. This article is not, and should not be used as, a substitute for legal advice as your specific factual circumstances may differ, the laws of your jurisdiction may differ, and the laws may have changed. Your use of this Internet site does not create an attorney-client relationship. Transmission of this article is not intended to create, and receipt of it does not constitute, an attorney-client relationship. All uses of the contents of this site, other than personal uses, are prohibited.