• California Department of Consumer Affairs Suggests "Best Practices" For Businesses Notifying Consumers of Possible Identify Theft
  • March 12, 2004 | Author: Joseph E. Laska
  • Law Firm: Manatt, Phelps & Phillips, LLP - Los Angeles Office
  • According to the Federal Trade Commission, identity theft -- the theft of personal identifying information such as one's social security number, driver's license number or credit card number -- victimized nearly 10 million consumers in 2002 and cost businesses as much as $50 billion. Several federal and California statutes govern the collection of this information by businesses, as well as what businesses should do when a privacy breach occurs. However, according to the Office of Privacy Protection ("OPP") in the California Department of Consumer Affairs, businesses should do even more than the letter of the law requires: "Implementing an effective security program is essential for an organization to fulfill its responsibility towards the individuals who entrust it with their personal information."

    To that end, the OPP has released a report containing recommended "best practices" for California businesses regarding the protection of personal information. Although these suggestions are not binding law, they are more comprehensive than the existing laws on the issue and if followed likely would ensure that businesses are complying with those laws. The recommended guidelines may be summarized as follows:

    Part 1: Protection and Prevention

    Businesses should collect the minimum amount of personal information necessary to accomplish the intended business purpose, and should inventory and classify that information in their systems and limit employee access to the information. Businesses should also promote awareness of privacy requirements among both employees and third-party partners, and make privacy and security obligations enforceable by contract. In addition, companies should use all available materials -- from data encryption and intrusion detection technology to cross-cut paper shredders -- to ensure security.

    Part 2: Preparation for Notification

    To ensure timely notice to consumers in the event that the security of their personal information is breached, companies must prepare ahead of time. That includes adopting formal, written internal procedures, designating responsible individuals in any response plan, training them, and keeping their knowledge current and strong, and reviewing these procedures at least annually. Businesses should also require data custodians to report any possible breaches immediately and further require all third party partners to follow the business's procedures. Importantly, companies should collect customers' contact information (i.e., mailing and/or e-mail addresses) so that those customers may be notified of any breach.

    Part 3: Notification

    If a company believes that personal information has been stolen or released, it should first take necessary steps to contain or control the breach and determine its scope. It should then notify affected individuals as soon as possible after the breach is discovered. The OPP recommends doing so within 10 days. However, if a business believes that the breach may involve illegal activity, it should notify law enforcement before contacting the affected individuals, and request that it be notified as soon as it can contact affected individuals without hampering any criminal investigation. If the breach involves a large number of individuals and may have a significant impact on consumer credit reporting agencies (Equifax, Experian, and TransUnion), the company should contact those agencies directly. In following these guidelines, businesses should avoid "false positives" ¿ that is, notifying individuals that their privacy has been compromised when, in fact, it was not.

    California businesses may wish to consider adopting some or all of these suggested best practices, or modifications thereof, in light of federal and state privacy legislation. It is, at least, prudent.