10/10/2010 California Raises the Bar on Data Secur…

California Raises the Bar on Data

Security and Privacy

By James F. Brelsford of Jones Day

California has recently enacted two landmark pieces of consumer rights legislation, each of
which creates new burdens for companies doing business with California residents. The first,
Senate Bill No. 1386 ("SB 1386"), requires any company that stores customer data
electronically to notify its California customers of a security breach to the company's
computer system if the company knows or reasonably believes that unencrypted information
about the customer has been stolen. The second, Senate Bill No. 1 ("SB 1"), commonly
known as the California Financial Information Privacy Act, creates new limits on the ability of
financial institutions to share nonpublic personal information about their clients with
affiliates and third parties. This Technology Commentaries provides a brief overview of each
of the new laws and what companies should be doing to comply with the new statutes.

Security Breach Statute

SB 1386 obligates companies electronically storing the unencrypted personal information of

any California resident to notify such persons of a security breach to the database storing
their data. Passed almost unanimously by the California Senate and Assembly and effective
July 2003, the statute was created to address one of the fastest growing crimes committed in
California-identity theft-but it has far broader legal implications.

Specifically, SB 1386, codified as Civil Code § 1798.82, et seq., requires "any person or
business that conducts business in California, and that owns or licenses computerized data
that includes personal information, [to] disclose any breach of the security systemÂ…to any
resident of California whose unencrypted personal information was, or is reasonably
believed to have been, acquired by an unauthorized person." The statute imposes specific
notification requirements on companies in such circumstances. The statute applies
regardless of whether the computerized consumer records are maintained in or outside
California. As long as a company conducts business in California and owns or licenses
computerized data that includes "personal information" (defined below) about residents, it
has a legal obligation to notify its California consumers of security breaches to their personal
information. The statute thus has broad implications for companies across the United States,
library.findlaw.com/2003/…/133060.html 1/6
10/10/2010 California Raises the Bar on Data Secur…
and worldwide, if they maintain, own, or license unencrypted computer data containing
personal information about California residents.

Consequences of Noncompliance. The statute provides a strong incentive for companies to

adopt comprehensive security procedures to limit the vulnerability of their computer systems
and to create a plan of action in the event of a security breach. Companies that fail to secure
themselves face the cost of notification and the negative impact on image and consumer
confidence associated with publicly disclosing a security breach. Moreover, companies face
private actions for damages if they fail to notify consumers of a security breach, which could
include class actions. The statute also provides that "[a]ny business that violates, proposes to
violate, or has violated this title may be enjoined."

"Security Breach" and "Personal Information" Defined. The statute defines "personal
information" as an individual's first name or first initial and last name in combination with
any one or more of the following, when either the name or data elements are not encrypted:
(a) Social Security number; (b) driver's license number or California ID card number; (c)
account number, credit or debit card number, in combination with any required security
code, access code, or password that would permit access to an individual's financial account.
"Personal information" does not include publicly available information that is lawfully made
available to the general public from federal, state, or local government records.

The statute broadly defines a "security breach" as an "unauthorized acquisition of

computerized data that compromises the security, confidentiality, or integrity of personal
information maintained by the person or business." The statute does not define the term
"unauthorized" or specify what evidence of a breach is necessary to trigger notification
obligations. The statute also leaves unresolved whether companies have an affirmative duty
to actively monitor and detect security breaches.

Notice Obligations Upon a Breach of Security. A company must notify any California
resident whose unencrypted "personal information" was, or was reasonably believed to have
been, acquired by an unauthorized person. Although the statute does not specify what the
disclosure must entail, it does state that notice must occur in "the most expedient time
possible and without unreasonable delay." A company may delay notice if a law enforcement
agency "determines" that the notification will impede a criminal investigation.

Notice may be provided in writing, or electronically if the electronic notice is consistent with
federal law regarding electronic records and signatures. If a company can demonstrate that
the cost of providing notice would exceed $250,000, or that the affected class of persons to
be notified exceeds 500,000, or that the company does not have sufficient contact
information, then it may instead use "substitute notice." Substitute notice requires the
following three actions: (1) e-mail notice when the company has e-mail addresses for the
library.findlaw.com/2003/…/133060.html 2/6
10/10/2010 California Raises the Bar on Data Secur…
subject persons; plus, (2) conspicuous posting of notice on the company's Web site, if it
maintains one; plus, (3) notification in a major statewide media. Alternatively, a company
that maintains its own notification procedures as part of an information security policy that
is consistent with the timing requirements of the statute is deemed to be in compliance with
the statutory requirements if it notifies the affected consumers in accordance with its
policies.

Strategies for Security and Compliance. Companies should review their privacy policies and
security procedures for compliance. To start, companies should inventory existing computer
systems and electronic files to determine what personal information companies collect and
maintain and in what form. Companies may wish to specify notification methods in user
agreements or privacy/security statements. At the same time, however, companies must
exercise caution not to overstate the actual level of security in place because the Federal
Trade Commission actively prosecutes companies for false or misleading security or privacy
representations posted on a company's Web site or elsewhere.

One preventive measure companies may take to avoid liability under the statute is to encrypt
computerized data, as the statute applies only to "unencrypted personal information."
Companies may also mitigate "unauthorized" access by limiting employee access to
computer data to a "need to know" basis using passwords or other techniques, and training
employees on the importance of information protection and immediate reporting of
breaches. Additionally, new technologies designed to provide detail about network conduct
and data-flow patterns may provide companies with critical information about improper
data acquisition. Finally, companies that have third-party contracts involving the transfer of
computerized personal information should review the contracts to ensure they provide for
notification and, where appropriate, the right to require, control, or otherwise participate in
reporting security breaches involving the computerized personal information of California
consumers.

California Financial Information Privacy Act

SB 1 expands the financial privacy rights provided to consumers under the federal Gramm-
Leach-Bliley Act ("Gramm-Leach-Bliley"). Under Gramm-Leach-Blily, financial institutions
currently have an obligation to provide notice to consumers regarding the institution's use of
consumers' nonpublic financial information, and consumers have the right to request their
information not be shared with unaffiliated third parties. California SB 1 sets more rigorous
standards in regard to both the disclosure obligations of financial institutions and the ability
of consumers to prevent their information from being shared with affiliates and third parties.

SB 1 creates a three-tier system where the conditions that must be met for financial
institutions to lawfully share "nonpublic personal information" about consumers depends
library.findlaw.com/2003/…/133060.html 3/6
10/10/2010 California Raises the Bar on Data Secur…
upon the relationship between the institutions. First, the law does not create any restrictions
on the ability of financial institutions to exchange information with their wholly owned
subsidiaries or on the exchange of information between entities wholly owned by the same
parent as long as those entities are (i) regulated by the same functional regulator, and (ii) are
engaged in the same line of business. Second, for a financial institution to share information
with an affiliate, that is, "any entity that controls, is controlled by, or is under common
control with" the institution, it must provide consumers with an annual notification that such
information may be disclosed to affiliates and it must provide consumers an opportunity to
opt out of the sharing arrangement. Finally, financial institutions will not be allowed to share
nonpublic personal information about their clients with nonaffiliated third parties without
the written consent of the client authorizing release of his or her information, thus creating a
mandatory opt-in system for the release of information to third parties.

Consequences of Noncompliance. Negligent failure to comply with the terms of the statute
can lead to civil liability damages of up to $2,500 per violation, for a total of up to $500,000
per occurrence, with the damages set "irrespective of the amount of damages suffered by
the consumer as a result of that violation." Knowing and willful violations will likewise be
subject to civil damages of up to $2,500 per violation, but there is no limit on the level of
damages per occurrence for such violations. In line with the state's strong stance toward
protecting against identity theft, all fines can be doubled in instances where violation results
in the identity theft of a consumer.

"Financial Institution" and "Nonpublic Personal Information" Defined. The definition of

"financial institution" is taken largely from Section 1843(k) of Section 12 of the United States
Code ("Section 1843(k)") with the additional qualifier that the institution must be "doing
business in" the state of California. Section 1843(k) provides a range of factors that should be
considered in determining whether a company is classified as a financial institution, with a
focus on whether the institution is engaged in activities such as "lendingÂ…or safeguarding
money or securities," "insuringÂ…against loss," "providing financial, investment, or economic
advisory services," and "underwriting, dealing in, or making a market in securities."
Companies "primarily engaged in providing hardware, software, or interactive services," as
long as they are not also engaged in other activities that would render them a financial
institution, are not financial institutions for purposes of SB 1.

"Nonpublic personal information" is defined as "personally identifiable financial information"

obtained by a financial institution. "Personally identifiable financial information" is defined as
"information (1) that a consumer provides to a financial institution to obtain a product or
service from the financial institution, (2) about a consumer resulting from any transaction
involving a product or service between the financial institution and a consumer, or (3) that
the financial institution otherwise obtains about a consumer in connection with providing a
product or service to that consumer." The definition of "nonpublic personal information"
library.findlaw.com/2003/…/133060.html 4/6
10/10/2010 California Raises the Bar on Data Secur…
explicitly excludes information that the financial institution could reasonably believe is
available to the general public.

Compliance Issues. Both the opt-in and the opt-out sections of the law include requirements
as to the form of communication with the intent of making it easy for consumers to
understand and exercise their rights under the statute. For example, the notification
regarding the release of information to affiliates must, among other things, be a separate
document conspicuously titled "Important Privacy Choices For Consumers," it must use
clear English, and it must provide "choice boxes" that enable consumers to check off their
privacy preferences. A model form is provided, and institutions that use the model are
presumed to be in compliance with the form requirements. The notice requirement can also
be satisfied via electronic notification if certain conditions are met.

To further ensure that consumers are free to exercise the privacy rights created by SB 1, the
statute contains a nondiscrimination requirement that makes it unlawful for companies to
discriminate against consumers who exercise their right to opt out of affiliate sharing or who
do not approve the release of their information to third parties.

The new law goes into effect July 1, 2004. However, financial institutions may continue to
perform on contractual obligations requiring disclosure of nonpublic personal information to
third parties until January 1, 2005 for all contracts entered into on or before January 1, 2004.

Questionable Legal Authority. The legality of SB 1 remains an open question, and suits
challenging the right of California to adopt such legislation are expected. Gramm-Leach-
Bliley, identified by the California legislature as the federal law pursuant to which they
adopted SB 1, allows states to adopt more stringent consumer protection measures than
those adopted by Congress. Specifically, Gramm-Leach-Bliley states that "[f]or purposes of
this section [on privacy and the disclosure of nonpublic personal information] a State
statuteÂ…is not inconsistent with the provisions of this subtitle if the protection such
statuteÂ…affords any person is greater than the protection provided" hereunder. 15 U.S.C.
§ 6807(b). The federal Fair Credit Reporting Act, in contrast, largely proscribes the authority
of the states to create more rigorous standards than those set by Congress in this area, and
would likely preempt major sections of SB 1. 15 U.S.C. § 1681t (b). The relevant provision of
the Fair Credit Reporting Act is set to expire at the end of 2003, but legislation is pending to
make it permanent. What this means for the fate of SB 1 remains an open question.

Conclusion

The recent enactment of SB 1386 and SB 1 suggests California is continuing to lead the nation
in efforts to protect consumer rights. This creates unique challenges for national and global
companies doing business in California or with California residents.

library.findlaw.com/2003/…/133060.html 5/6
10/10/2010 California Raises the Bar on Data Secur…
Further Information

Technology Commentaries are a publication of Jones Day and should not be construed as
legal advice on any specific facts or circumstances. The contents are intended for general
informational purposes only and may not be quoted or referred to in any other publication or
proceeding without the prior written consent of the Firm, to be given or withheld at its
discretion. The mailing of this publication is not intended to create, and receipt of it does not
constitute, an attorney-client relationship.

For further information, readers are encouraged to contact their regular Jones Day attorney
or the principal Jones Day author of this Commentaries, James F. Brelsford in the Menlo Park
Office (telephone: 650-739-3944; e-mail: jfbrelsford@jonesday.com). We invite you to visit
our Web site at www.jonesday.com for additional information on privacy topics.

© 2003 Jones Day

Copyright © 2010 FindLaw, a Thomson Reuters business. All rights reserved.

library.findlaw.com/2003/…/133060.html 6/6