Byline: Peter Bales, Esq.

It seems as though a week does not go by without a company reporting that its customers’ personal information was either intentionally hacked or inadvertently exposed. In April 2011, Sony reported that hackers had stolen the names, birth dates, and possibly credit-card numbers of more than a 100 million users of its online video games. In May 2011, Citigroup discovered that almost 400,000 credit-card accounts were hacked, resulting in $2.7 million in losses. One of the many questions that arises after discovering such a breach is how to notify the affected customers.

In 2003, California became the first state to enact a data security breach notification law. California Civil Code Section 1798.82 requires those who own or license computerized data that includes personal information, to disclose breaches of security to any state resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.1

“Personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

(1) Social Security number;

(2) driver’s license number or California identification card number;

(3) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account;

(4) medical information2; and

(5) health insurance information.3,4

The disclosure must be made “in the most expedient time possible and without unreasonable delay.”5 Additional time may only be allowed in two instances:

(1) if a law enforcement agency determines that the notification will impede a criminal investigation, and

(2) taking necessary measures to determine the scope of the breach and restore the reasonable integrity of the data system.6

The methods of notification, e.g., written, electronic, or substitute notice, are outlined in Civil Code Section 1798.82. It is important to note that a customer injured by a violation of California’s notification requirements may institute a civil action to recover Damages.7

Until recently, there were no requirements for the contents of the notice. However, on August 31, 2011 Governor Brown signed Senate Bill 24 amending the notification law and making important changes that apply to breaches occurring on or after January 1, 2012.

The new law requires that the notice contain specific information regarding the breach, including the following:

(1) a list of the types of personal information that were or are reasonably believed to have been the subject of a breach;

(2) the date, estimated date, or date range of the breach;

(3) whether notification was delayed as a result of a law enforcement investigation;

(4) a general description of the breach incident; and

(5) the toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a social security number or a driver’s license or California identification card number.

Another requirement added by Senate Bill 24 is that businesses, in certain circumstances, will need to notify the California attorney general. More specifically, if more than 500 California residents were notified of the breach, the business will be required to electronically submit to the attorney general a sample copy of the security breach notification, excluding any personally identifiable information.

For those California businesses that have customers throughout the country, it is important to be aware of and monitor other state laws regarding breach notifications. With the exception of Alabama, Kentucky, New Mexico, and South Dakota, every state, as well as the District of Columbia, Puerto Rico and the Virgin Islands, have enacted legislation requiring notification of security breaches involving personal information.8

Given the unpredictable nature of security breaches, it is essential that companies be prepared ahead of time and have security breach procedures—evaluated by counsel for compliance with the applicable laws—in place so that they can quickly respond in the event of a breach. These new changes to California law provide an opportunity for companies to revisit the policies and procedures currently in place or create such policies and procedures that previously did not exist.

1 Civ. Code § 1798.82(a).

2 “Medical information” means any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional. (Civ. Code §1798.82(f)(2).

3 “Health insurance information” means an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records. (Civ. Code §1798.82(f)(3).)

4 Civ. Code § 1798.82(e).

5 Civ. Code § 1798.82(a); emphasis added.

6 Civ. Code § 1798.82(c).

7 Civ. Code § 1798.84(b).