• Security Breaches Must Be Disclosed
  • July 15, 2003 | Author: Wendy M. Lazerson
  • Law Firms: Holland & Knight LLP - San Francisco Office ; Holland & Knight LLP - Los Angeles Office ; Holland & Knight LLP - San Francisco Office
  • An outgrowth of the recent focus and concern about identity theft is a new disclosure law (S.B. 1386), which takes effect on July 1, 2003. The law impacts companies with employees and/or customers residing in California, regardless of where the companies are based or physically located. The law, which largely went unnoticed before it was signed into law, is designed to minimize the impact of unauthorized disclosure of private information by requiring companies to advise individuals " expediently" of an actual or suspected security breach.

    Companies covered by the law are those doing business in California that own or license computerized "personal information" of California residents. The law defines "personal information" as an individual's first name or first initial, and last name, in combination with any one of the following: the individual's (a) Social Security number; (b) driver's license or California Identification Card number; or (c) account number, credit or debit card number, in combination with any security code, access code, or password, that would permit access to the individual's financial account, when any of the foregoing is unencrypted.

    The law requires disclosure "in the most expedient time possible and without unreasonable delay." The disclosure must be in writing, although under certain defined circumstances, electronic or substitute notice may be permitted. Also, the disclosure may be prohibited where a law enforcement agency determines that such notification will impede a criminal investigation.

    The consequence for failure to comply with the law is potential civil liability for damages to the individual injured by the unauthorized disclosure and exposure to injunctive relief to compel compliance with the law.

    Companies subject to this law should audit their current security policies and procedures to avoid security breaches. In addition, companies should prepare for compliance with the law by creating and implementing policies and procedures for proper notification, should a security breach occur.