Privacy of Personally
Identifiable Information under California Law
© Bierce & Kenerson, P.C.
2003
Identity theft
is one of the fastest growing crimes. Encryption and other data security
measures can avoid or reduce the risk of identity theft. For outsourcing
service providers and their customers inside California, California law no. SB
1386 of September 25, 2002 (adding Section 1798.82 and 1798.29 of the California
Civil Code) changes the manner in which they maintain and store personally
identifiable information. Under the law, effective as of July 1, 2003,
both service providers and their enterprise customers must notify California
individuals when such individuals' personally identifiable information has been
compromised.
This law impacts
outsourcing processes worldwide. Special processing will be required for
California residents' data. Since it is consumer-oriented, the
California law promises to become a headache in other jurisdictions that adopt a
similar compulsory notification requirement. Once notified, the consumers
could engage in litigation to seek damages or otherwise enforce whatever rights
they might have by statute or common law.
Protected
Personally Identifiable Information. Under this law, "personal
information" means an individual's first name or first initial and last
name in combination with any one or more of the following data elements, when
either the name or the data elements are not encrypted: (1) Social security
number, (2) Driver's license number or California Identification Card number,
(3) Account number, credit or debit card number, in combination with any
required security code, access code, or password that would permit access to an
individual's financial account. This definition is unique and
is not compatible with the definition of "personally identifiable
information" under FTC principles or the draft Consumer Privacy
Protection Act of 2003.
Mandatory
Disclosure of Security Breaches. Under this law, Section
1798.82(a) of the California Civil Code would cover an outsourcer's enterprise
customer:
Any person or business that
conducts business in California, and that owns or licenses computerized data
that includes personal information, shall disclose any breach of the security
of the system following discovery or notification of the breach in the
security of the data to any resident of California whose unencrypted personal
information was, or is reasonably believed to have been, acquired by an
unauthorized person. The disclosure shall be made in the most expedient time
possible and without unreasonable delay, consistent with the legitimate needs
of law enforcement, ...or any measures necessary to determine the scope of the
breach and restore the reasonable integrity of the data system.
But Section
1798.82(b) would cover outsourcers as well as their enterprise customers,
forcing them to notify of a breach of security:
Any person or business that
maintains computerized data that includes personal information that the person
or business does not own shall notify the owner or licensee of the information
of any breach of the security of the data immediately following discovery, if
the personal information was, or is reasonably believed to have been, acquired
by an unauthorized person.
Timing of
Disclosure. Data processors must consult with law enforcement
authorities in all cases. The notification required may be delayed if a
law enforcement agency determines that the notification will impede a criminal
investigation. The notification required must be made after the law
enforcement agency determines that it will not compromise the investigation.
Cal. Civ. Code, § 1798.82(c).
Method of
Notice. The California law lists many possible ways to deliver notice
to the consumer. Such methods include written notice, electronic notice or
substitute notice (where the cost of providing actual notice would exceed
$250,000 or there are more than 500,000 affected persons), such as by e-mail,
"conspicuous posting" on the Web, notification to major statewide
media or otherwise pursuant to an internal procedure for notifications.
Managing
the Process. The law is extremely brief, imposing a disclosure
obligation without defining the administrative or technical compliance
requirements.
Federal
Preemption - Maybe. This law regulates the use of the personally
identifiable information, but it also regulates the consequences of security
breaches. As a result, it might escape federal preemption under
pending or future federal privacy laws.
Best
Practices in Outsourcing.
As a safe harbor, enterprises and their outsourcers servicing California
consumers could avoid problems by:
Further
reading:
Federal
Consumer Privacy Protection Act of 2003 (not enactment)
http://www.outsourcing-law.com/privacy_consumer_federal2003.htm
|