Information concerning your purchases, credit, interests and inquiries are stored on the servers of most businesses, both internet businesses and other types, in which you utilize credit cards to purchase items. Such information is of great value to business owners who seek to identify their customers and their customer’s history of buying so as to anticipate future sales that may be accomplished.
Such information is also of great value to those interested in “identity theft” who seek to utilize personal information about you to both purchase items and services in your name or perhaps sell your name and information to third parties for both legitimate and illegitimate purposes. With servers usually attached to the internet, hackers can seek to steal such information from legitimate companies for whatever purposes they may have in mind and those hackers are often located in foreign locales beyond the effective reach of United States law.
Further, such information may be of extreme value to other business entities who seek to locate potential customers and to determine the financial wherewithal of potential customers. Such information is often sold to third parties for legitimate business purposes for substantial profit. A good example is a high end travel agency selling its list of cruise customers to high end hotels or retailers.
With internet purchases becoming an increasingly pervasive part of every consumer’s life, California has sought to create some protection for consumers both in terms of notification of theft of their financial data (SB 1386) and in terms of use of financial information about the consumer (The California Financial Information Act). This article shall briefly describe the statutory protection scheme for notification of consumers as to data theft and give some practical guidelines as to how a business should address such issues.
Notification Requirements for Data Breach:
California law now obligates any entity which is electronically storing the unencrypted personal information of any California resident to notify such persons of a security breach to the data base storing such data. While the statute was created to protect against identity theft, there are far ranging legal implications.
The ramifications of non-compliance by a company can be severe. The company is liable for failure to notify consumers of a security breach and that liability can include liability via class-action law suits brought against the company. The cost of notifying a large number of consumers, and the decline in the reputation of the company forced to notify them, was designed to act as an incentive for companies to create hack-proof databases. When one realizes that the company essentially guaranties against loss to consumers caused by the data theft if it fails to warn them as required by the statute, one realizes that this statute imposes upon holders of such data a significant burden to achieve notification before such data is used wrongfully.
Definitions: The statute defines “personal information” as an individual’s first name or first initial and last name in combination with any one or more of the following if not encrypted: (a) social security number; (b) driver’s license number or California ID card number; (c) account number, creditor or debit card number in combination with any required security code, access code or password that would permit access to an individual’s financial account. Personal information does not include publically available information that is lawfully made available to the general public from federal, state or local governmental records.
That statute requires a company to notify any California resident whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person. The statute does not give precise wording as to the terms of the notification but does require such notification to occur in “…the most expedient time possible and without unreasonable delay.” Note that a company is allowed to delay notification if a law enforcement agency determines that the notification would impede an ongoing criminal investigation.
Notice may be provided in writing or electronically if the electronic notice is in conformity with federal law regarding electronic records.
Substitute Notice: A company that can demonstrate that the cost of providing notice would exceed two hundred and fifty thousand dollars or that the affected number of persons to be notified exceeds five hundred thousand persons or that the company does not retain sufficient information to achieve such notice may utilize, instead, “substitute notice.”
Such substitute notice requires three actions:
1. E-mail notice if the company has the e-mail address;
2. Conspicuous posting of the notice on the company’s website if it has one; and
3. Notification in a major state-wide media.
A company may also adopt its own information security policy that affords substantially the same protection and if it conforms to that policy, it has adhered to the statute.
Strategies and Thoughts:
The wise company will keep full records of the contents and protections contained in its entire computer system including what information as to customers it maintains and what security procedures it has to protect the data. It should adopt a procedure for security breaches that comes into play quickly and demonstrate to both management (and possible customers) the security program it has installed. Customer data must be treated as confidential information and protected with the same concentration and processes that the company should use for the protection of any other similar type of information with the added caution that third parties…the consumers…have a right to insist upon such protection.
Note that notice to customers as to safeguards must conform to the numerous state and federal laws regarding false or misleading advertising since the Federal Trade Commission has prosecuted companies for false and misleading security or privacy representations posted on the website or elsewhere.
By far the best method to protect data and avoid liability is to encrypt the information. Note that the California statute only applies to “unencrypted personal information.” While the initial cost of encrypting the information may be substantial, the savings if the information is breached is easy to imagine.
Limiting access to such data and putting in place programs to determine if a breach has occurred is equally vital. It is important to note that customers will be uniformly outraged if they discover personal information has been obtained by unknown third parties and an entire customer base may be destroyed by the required notification. The company wishing to maintain good customer relationships must be assertive in programming appropriate safeguards and restricting access accordingly. It is not unusual for a company to have its entire customer base disappear overnight the moment such a breach is discovered and with the law requiring notice of such a breach, a hacker or disgruntled employee achieving the same can effectively destroy a company. As one businessman told the author, “There is nothing you can say to customers to make them feel safe with doing business with you again. They look at you as if you sold the family jewelry even if no thief actually uses the information.”
For those companies that provide such data to third parties, including their own suppliers, it is important to have the right protections in the agreements that allow transfer of such information and to ensure that the supplier has installed its own level of security so that one is not brought into litigation due to the negligence of a third party. It is perhaps useful to consider such data as held in trust for the consumer and one must treat it with the same care and concern that one treats any property held in trust…or face the consequences.
Too often the data is collected over time without planning or a security system installed. Too often the first time a company realizes the critical nature of such security is after a breach occurs. One company represented by the author only discovered its exposed position when a fired controller left with discs containing much of the data and they were required to commence aggressive litigation to retrieve the data before he transferred it offshore, as he had threatened to do during a heated meeting.
The key is the right procedures and agreements in effect, appropriate software protecting the data, and the full understanding of the degree of care and competence necessary to protect this asset and the consumers. For consumers, our article on identity theft indicates what steps you may wish to take to protect yourself in such situations.