California maintains broad protections for consumer related data, and places specific notification and other requirements on California businesses, in the event of a security breach that could expose a customer’s personal information to individuals who are not authorized to access that personal information. California Civil Code Section 1798.82 addresses data security breaches and what a business must do if there is a breach of the security of the business’s system. This blog briefly reviews the requirements of California law in the event of an infiltration or hack and outlines how businesses should approach a potential or actual breach of their security system.
What is a data breach?
California law does not specifically use the term “data breach”; rather, it identifies a “breach of the security of the system” (“Breach”) (Civil Code §1798.82(g)). A Breach is the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by…the business.” There is an express exemption for information that is shared in good faith by an employee or agent of the business, for the purposes of the business.
However, businesses should take care that information shared in good faith is not subsequently used, or subjected to, an unauthorized disclosure. Depending on the type of business and the nature of the information maintained and disclosed, it is highly advisable for a business to place terms and conditions on the use of any data with its employees, business partners and vendors.
A Breach can include unencrypted data and encrypted data, which means that even if the information taken is protected by some level of encryption, a business may still be required to notify its customers of the Breach.
Organizations doing business in California must take affirmative steps to protect and guard against any Breach. Depending on the type and amount of data maintained by an organization, protecting against a Breach likely requires a business to invest in proactive and protective tools, processes and procedures that articulate how that data is handled and maintained.
What should a business do if there is a Breach?
The first hours from when a Breach is suspected or discovered are critical. A business that believes it is subject to a Breach should immediately engage its IT professionals to identify the extent of any breach, and close any other remaining breaches to the system. Law enforcement, the business’s insurance broker and legal counsel should also be contacted, as soon as possible
After the initial disclosures and after identifying the extent of the infiltration, the business should quickly and carefully work to identify the type and classes of data that were potentially exposed, and assess whether any “personal information” has been potentially or actually released. This assessment will be different for every type of business, and will depend upon the nature of information maintained by the business, and that of the systems which were the subject of the infiltration. Contemporaneously, the business should document every step taken to identify and secure any information or document that is hacked.
How do you know if personal information has been compromised?
Under the Civil Code, personal information includes: (i) a person’s first name or first initial and last name in some combination, when the data is not encrypted; (ii) social security number; Driver’s license number, CA identification card, tax ID number, passport number, military ID number, or other unique ID number that could be used to verify an individual’s identity; (iii) account number or credit/debit card number, in combination with any required security code, access code, or password that would allow access to a financial account; (iv) medical information; (v) health insurance information; (vi) biometric data; or (vii) a username or email address, in combination with a password or security question and answer that would permit access to a user’s online account.
A business’s IT staff or contractors are the best resource for an organization to initially determine the type, amount, and extent of any data that was taken. Additionally, if the data is encrypted, businesses need to quickly determine whether any security codes or encryption keys were also compromised.
What is the legal requirement for notification of a Breach?
California law (and perhaps a business’s written agreement with its customers) requires a business to timely notify any California resident whose unencrypted or personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person. The Civil Code does not provide a specific time frame for when the notice must be delivered to affected customers. Instead, the law states that the notice and disclosure shall be made in the most expedient time possible and without unreasonable delay. A business is able to take some time to determine the scope of the breach, and restore the reasonable integrity of the data before issuing any notice.
Additionally, in a circumstance where law enforcement has made a determination that a notification or disclosure would impede a criminal investigation, a business must follow law enforcement’s direction on any notice to its customers. However, once the scope of the breach is determined, the integrity of the data has been reasonably restored, and it is determined by law enforcement that any notification required would not impede the investigation, a business must promptly make the required notification.
If the data infiltrated was encrypted, the business is first required to determine whether the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person. If the business that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or usable, then the business will need to take steps to timely prepare and send the notification required by law and by any agreement the business has with the consumer or customer.
If the Breach would impact more than 500 California residents, a copy of any notice generated as a result of the Breach must also be electronically submitted to the California Attorney General’s office.
A business should look to California Civil Code §1798.82(d), which provides the requirements and a model security breach notification form. The required notice must be in at least ten (10) point font, must communicate the extent and nature of the Breach, in plain language, and should limit technical jargon and terms of art. The notice also should conspicuously and clearly identify specific headings meant to inform the customer about the details of the breach, and what the business is doing about it. The basic information prescribed in the Civil Code must be included even if a business intends to use its own letterhead, or chooses to include additional information not required by the Civil Code. Specifically, the notice must provide the following: (i) “What Happened”; (ii) “What Information was Involved”; “What You Can Do”; and, (iv) What you need to do “For More Information”.
Sadly, doing business in today’s environment will require businesses to carefully assess the information that they require, obtain and store from their customers. Depending on the industry, the type of data obtained from customers will vary greatly. Regardless, businesses should not ignore any legal or contractual requirements to protect any customer data received, and should proactively prepare for a Breach. This would include hiring competent IT professionals that understand the legal requirements that apply to the business’s particular field or industry, creating internal procedures, notification checklists, and forms of notices that may be required in the unfortunate event that your business sustains any Breach.
The attorneys at Carmel & Naccasha are experienced in drafting, reviewing, and preparing policies, procedures, and notices related to an organization’s data practices. If you have been the subject of a Breach, or would like to proactively prepare for one, in the unfortunate event a Breach occurs in the future, please contact our offices.
Ziyad I. Naccasha