On July 1, 2003, California enacted an electronic data privacy law to protect residents from one of its fastest growing crimes: identity theft. SB 1386 (Civil Code 1798.29) requires businesses to notify California residents if a security breach results in disclosure of personal electronic data. All businesses are subject to this law regardless of size, location, or operations. Business owners should be aware of the problems associated with identity theft, the steps required to comply with SB 1386, and the preventative measures available.
Identity theft is a significant problem to both citizens and financial institutions. The FTC estimates that over 27.3 million Americans have been the victims of identity theft in the past five years. The U.S. financial impact is staggering; in 2002 alone, losses were estimated at $48 billion to financial institutions and $5 billion to victims. The FTC reviewed trends from 214,905 cases reported in 2003, and California accounted for the highest number of incidents (39,452). In 20% of all cases, the source of the information breach involved disclosure of personal data over the internet or other electronic sources. In 55% of all cases, the identity theft resulted in credit card, bank, or loan fraud. Federal and state laws address this growing problem.
In January of 2001, Eli Lilly settled with the FTC after accidentally releasing the e-mail addresses of nearly 700 consumers who were using the company’s anti-depressant Prozac. Seven months later, Microsoft was targeted by the FTC for misrepresenting the security of its “Passport Wallet” web service. More recently, in April of 2004, Tower Records faced allegations for allowing and failing to correct a breach that disclosed consumer information including names, billing and shipping addresses, email addresses, phone numbers, and purchase histories. Under the separate settlement agreements, the three companies were barred from misrepresenting website security and required to implement rigorous programs to prevent future incidents.
California’s SB 1386 takes the FTC’s efforts one step further by requiring companies to notify California residents when a security lapse has resulted in disclosure of personal information so that immediate action may be taken to mitigate damages. In 2002, the California state employee payroll database was breached. Confidential information about 265,000 employees was available to hackers including names, addresses, bank account numbers, and social security numbers. The data center didn’t notify anyone for several weeks, leaving the employees vulnerable to identity theft longer than necessary. In response, SB 1386 was enacted as a means to ensure that Californians receive prompt notification so they may take immediate steps to protect their personal information.
SB 1386 applies to any business that stores unencrypted personal information of an employee or customer that resides in California. According to the law, personal information means an individual’s name in combination with any one or more of the following elements:
1.Social security number
2.Driver’s License number of California Identification Card number
3.Account number, Credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
Any unauthorized access of a computer and its data constitutes a breach. Notification must be provided even if confidential personal information was not stolen due to the difficulties of proving that all data remained secure. Any breach discovered on or after July 1, 2003 falls within the scope of SB 1386, and the law requires notification in the most expedient manner and without unreasonable delay. Legal notification can be conducted by direct mail, e-mail, posting on the company’s public website, or notification to major statewide media. Compliance with SB 1386 and litigation could be costly. To date, there have been no lawsuits, however Wells Fargo recently spent millions of dollars to comply with the new law.
In 2003, Wells Fargo hired a consulting firm to perform some work and turned over a database that contained names and social security numbers of 200,000 consumers that had secured loans from Wells Fargo. A petty thief stole the laptop containing the database from the consultant’s office. When the theft was discovered, Wells Fargo took steps to comply with SB 1386 and sent letters to all 200,000 customers, not just those residing in California. A follow up call was placed to each customer to ensure that the correspondence had been received. Account numbers were changed, and customers were encouraged to contact credit reporting agencies and monitor their credit. Wells Fargo also offered to purchase “Privacy Guard” service for each customer. “Privacy Guard” service costs approximately $75 per person and provides notification of activity on credit reports. Even though the laptop was recovered and it was determined that the information had not been used, compliance with SB 1386 was costly due to the number of individuals affected. Businesses can implement preventative measures to help reduce the costs and loss of good will that can result from such a breach of security.
Companies that electronically store personal information should have a formal written security policy that addresses data security. An effective plan addresses the size of the organization, the existing computing infrastructure, the types of activities conducted over the internet, and the amount the company is willing to spend on security features to mitigate problems. Security features include firewalls, secure socket layer encryption (encryption at the starting and end points), and intrusion detection systems. The plan should outline notification procedures and allow for the investigation and documentation of all breaches. Implementation of a formal written security policy will ensure compliance with SB 1386.
Identity theft is a growing concern due to the enormous financial consequences. SB 1386 outlines a company’s responsibilities for securing private information. Businesses have a moral and legal obligation to provide a high level of security and disclose breaches so action can be taken. Adherence to SB 1386 will reduce the damages of identity theft and protect companies from litigation and loss of good will.
FTC Press Releases and Reports:
Identity Theft Victim Complaint Data, Figures and Trends in California, January 1 – December 31, 2003.
January 18, 2002, “Eli Lilly Settles FTC Charges Concerning Security Breach”.
August 8, 2002, “Microsoft Settles FTC Charges Alleging False Security and Privacy Promises”.
April 21, 2004, “Tower Records Settles FTC Charges”. http://www.ftc.gov/opa/2004/04/towerrecords.htm
Cheryl A. Falvey, “Disclosure of Security Breaches Required by New California Privacy Legislation”. http://library.lp.findlaw.com/articles/file/00008/009186/title/Subject/topic/Antitrust%20and%20Trade%20Regulation_Unfair%20Trade%20Practices/filename/antitrustandtraderegulation_2_237
Whole Security, “Facts on Identity Theft”.
Auxillium West, “California SB 1386 – Personal Information: Privacy”.
StrongAuth, Inc., “California’s SB 1386 – Frequently Asked Questions”.
California SB 1386