|
The office laptop computer used by your business
partner has a strange file. When you inquire, your partner replies, “no big deal, my teenager’s laptop crashed so he used
the office’s laptop for his book report.” In addition to the ethical issue of client confidentiality raised in that situation,
you may have duties and liability under a new computer security law.
California Civil Code section 1798.82, which
amended the Information Practices Act of 1977, is designed to curb identity theft. This new section require businesses that
keep computerized data to notify their customers, clients, or employees who are California residents whenever it is reasonable
to believe that there has been a breach of the security system.
A breach of security may arise when a hacker enters
an office computer system, an unauthorized employee uses another work station computer, a PDA is lost or stolen -- or even
when a teenager uses your office laptop for a school project.
Although the amendment to the Civil Code took effect
on July 1, 2003, many businesses, including law firms, remain unfamiliar with their obligations and possible liability under
the law.
WELLS FARGO INCIDENT
Wells Fargo was one of the first businesses publicly to face the disclosure requirements.
The San Jose Mercury News, November 22, 2003, reported that a computer holding the names, addresses, Social Security numbers
and account numbers of thousands of Wells Fargo customers was stolen from a consultant's office. Wells Fargo provided legal
notice by letter to law enforcement and affected customers. It then took further steps to safeguard customers by changing
account numbers and offering free credit monitoring services.
KEY PROVISIONS
The new law applies to persons
or businesses anywhere n the world that conduct business in California. A separate section applies to state agencies. Cal.
Civ. Code § 1798.29(a).
The law covers only unencrypted personal data that is contained in a computer system. A “computer
system” includes the server, personal computer, laptop, and PDA. Cal. Civ. Code § 1798.82(a)-(b). The law does not appear
expressly to apply to paper or hard copies of personal information.
Only California residents are protected by these
new provisions. Businesses and others covered by the law must notify residents when unencrypted personal information about
the individuals was, or is reasonably believed to have been, acquired by an unauthorized person. Cal. Civ. Code § 1798.82(a).
The required disclosure must be made to California residents regardless of where in the world the compromise of their data
occurred.
Businesses and others covered by the law must notify residents when unencrypted personal information about
the individuals was, or is reasonably believed to have been, acquired by an unauthorized person. Cal. Civ. Code § 1798.82(a).
“Personal
information” means the person’s name “in combination with” social security number, driver’s license or identification card
number, or financial account number in combination with security or access codes or passwords. Notification is required with
either the name or the data elements are not encrypted. Cal. Civ. Code § 1798.82(e).
NOTICE REQUIREMENTS
Disclosure
of the security breach must be made at “the most expedient time possible and without unreasonable delay,” unless a law enforcement
agency determines that prompt notice would impede a criminal investigation. Cal. Civ. Code § 1798.82(a) and (c).
Content
of Notice
The law is silent about the exact content of the notice. At a minimum, individuals should be provided enough
information to take steps to monitor their personal information and prevent misuse. That disclosure would include a description
of what breach occurred and what information was possibly acquired. Businesses may also take this opportunity to engage in
damage control by explaining what is has done and is doing to protect confidential information, offering assistance such as
free membership to a credit monitoring service, and the name and telephone number of a person to contact for more information
about the breach.
Form of Disclosure
Disclosure must be in by written notice or electronic notice. Cal. Civ.
Code § 1798.82(g)(1)-(2). However, electronic notice must be consistent with the provisions regarding electronic records and
signatures set forth in section 7001 of Title 15 of the United States Code. Businesses may use substitute notice – e-mail
notice, web page posting, and notification of major statewide media – when the cost of standard notice would exceed $250,000,
more than 500,000 individuals must be notified, or the business has insufficient contact information. Id. at § 1798.82(g)(3).
Penalties
for Failure to Disclose
Failure to notify protected individuals may result in a civil action for damages and injunctive
relief, both of which are cumulative to each other and any other available rights and remedies. Cal. Civ. Code § 1798.84.
Violation of the disclosure requirements may also support a claim for restitution and other equitable relief under the Unfair
Competition Law. Cal. Bus. & Prof. Code § 17200.
BREACH PREVENTION
The new notice requirements apply to every
breach of security. It is not a recognized defense for a business to claim that it was ignorant of the breach or that its
security efforts neglected to detect the breach.
Thus, although the law does not expressly mandate it, businesses are
well advised to conduct security testing to assess risks of breach and enact prevention and detection policies. Breach prevention
will require a multi-disciplinary approach with input from various departments.
IT Department Role
The Information
Technology Department or technology specialist should engage in systematic security testing to identify areas of vulnerability.
Encryption of all personal data should be explored because breach of encrypted data does not trigger the notification requirements.
Assessment could also include penetration testing to reveal and remedy system weaknesses on a preventative basis, disable
and remove unnecessary software, make sure that patches are up-to-date, and verify that current versions of applications are
installed.
HR Department Role
The Human Resources Department should examine the treatment of data by employees.
To prevent lapses in security, additional employee training should be provided, and policies and procedures should be updated
to cover subjects such as:
- avoiding bringing confidential data home on a laptop or PDA,
- securing laptops
and PDAs, and not leaving them unattended in a car,
- disconnecting from the Internet while the computer is unattended,
-
using complex passwords, which include a combination of letters and numbers.
In addition, HR should reoutinely evaluate
the appropriate assignment of user privileges and implement control technologies to limit access of unauthorized employees
to information and to document and trace possible breaches.
Legal Department Role
Finally, the Legal Department
should examine the contracts between the company and outside contractors and outsourcing services, such as payroll processing
and computer repair. Businesses should require their contractors to take precautions with personal information.
In
addition, service contracts should place the liability for a contractor’s breach of security squarely on that contractor.
Service agreements should also include a release of liability of the business and hold harmless agreement with respect to
breach of security.
CONCLUSION
In recent years, legislatures have been attacking identity theft on all fronts,
enacting laws affecting credit reporting, computer security, and on-line services. The new Civil Code provisions make it
clear that businesses also must play a role in helping prevent theft of information in its computer systems.
_____________________________________________________________________
OTHER
PRIVACY LAWS APPLICABLE TO BUSINESSES:
• Article I, section 1 of the California Constitution provides that
all people have the “inalienable right” of privacy. Persons may state constitutional privacy claims against state actors,
private businesses, and individuals.
• Under Business and Professions Code sections 350-52, the California
“Office of Privacy Protection” was created in 2000. Its web site is: http://www.privacy.ca.gov.
• Civil Code section 1798.81 of the Civil Code requires businesses to take all reasonable steps to destroy
customer records containing personal information which is no longer required to be retained by the business.
•
Government Code section 11019.9 requires every state agency to create and issue a privacy policy.
• SB
68, effective July 1, 2004, mandates that commercial web sites or online services that collect personal information on California
residents must post a privacy policy and comply with it. The law may be enforced through the Unfair Competition Law, Business
& Professions Code section 17200.
• SB 27, effective January 1, 2005, requires online companies to tell consumers
what information about them is shared with third parties and the third parties’ identities. As an alternative, the company
may simply have a privacy policy giving the customer the free opportunity to opt out of information sharing. Violators are
liable for civil penalties up to $3,000 per occurrence plus attorneys’ fees.
|
|
• The CERT/Coordination Center is a center of Internet
security expertise, located at the Software Engineering Institute, a federally-funded research and development center operated
by Carnegie Mellon University. It offers incident advisories for various software and systems, incident fixes, security practices
and evaluations, and training and education. Its web site is: http://www.cert.org.
• The Internet Security Alliance offers information on security design and data protection, such as in its Common Sense
Guide for Senior Managers. Its web site is: http://www.isalliance.org.
__________________________________________________________________________
ATTORNEYS
BEWARE OF CONFLICTING DUTIES:
DUTY TO DESTROY vs. ETHICAL OBLIGATIONS
Although Civil Code section 1798.81
requires businesses to destroy records of personal information not in use, attorneys should not start shredding or erasing
client files yet:
• Before disposing of client files, attorneys must take all reasonable steps to locate the
client, notify the client of the intended disposal, and allow the client to examine or retrieve the file. Cal. State Bar
Formal Opinion 2001-157.
• Regardless of client directives, attorneys have the duty to examine the contents
of the file and preserve certain documents required to establish a claim or defense, that have intrinsic value (e.g., money
orders, stocks, wills, original deeds), or that must otherwise be preserved by law (e.g., certain estate planning documents).
Cal. State Bar Formal Opinion 2001-157; Los Angeles Bar Association Formal Opinion 475 (1995). See Probate Code § § 730-35.
• Attorneys must retain documents pertaining to criminal matters until the client dies or provides express consent
for destruction. Cal. State Bar Formal Opinion 2001-157; Los Angeles Bar Association Formal Opinion 420 (1983).
©
2004 Roberta J. Burnette
|
