 |
 |
 |
|
You
are the CEO…and Your System Has Been Hacked You are feeling pretty good. It's a three day weekend and you are skiing at Mammoth. Your company just rolled out a new web based CRM system that interfaces with your accounting system, finally giving your customers real time access via the web to their account information. The roll out went off without a hitch, ahead of schedule, and under budget. Hopefully, it's the first of many successes with implementing the 2004 strategic plan. Your cell phone rings. It's your IT manager and the company's outside counsel. "We think there's been a breach. The new CRM system may have been hacked. We're still assessing the situation. There's a chance whoever did this got access to our customer's personal information." What do you do? Senate Bill 1386 - a New Part of the California Information Practices Act ("CIPA") You remember what your legal counsel said. California thinks they have the answer: Senate Bill 1386. It is part of the California Information Practices Act. SB 1386 went into effect on July 1 last year. Basically it requires notification to California residents when an unauthorized person gains access to unencrypted personal information in computerized data.
The law was motivated by an attack on a state government data center in which hackers illegally accessed sensitive financial and personal information regarding approximately 265,000 state workers. According to a California Senate committee investigation of the incident, over one month passed before the breach was discovered and then another two weeks passed before the affected workers were notified. Early notification to individuals whose personal information has been compromised is the key to limiting their risk of and damages from the rapidly growing crime of identity theft. If someone receives early notification, they can put fraud reports on their credit file with the credit bureaus. In 2002, nearly 10 million people, or one out of every 20 people in the United States, were victims of Identity Theft, with each person spending 30 hours on average resolving problems from the Identity Theft according to a recent Federal Trade Commission study. That same study puts the loss to victims at $5 billion and nearly ten times that amount for businesses - $47.6 billion. Now let's go back to our CEO's problem. Do We Have To Worry About SB 1386? Does Is It Apply To Us? SB 1386 is very broad in its application. It applies to virtually every person, sole-proprietor, company, non-profit, association, government agency, and financial institution if it owns, licenses, or stores computerized data about California residents. Technically, to fall within the statute, a person or business needs to "conduct business in California." It used to be fairly straightforward to determine if someone was conducting business in California. Do you have an office in California? Do you have employees in California? With the internet and computers, the question of doing business in California is more complicated. It may not matter that you do not have an office in California or that your PCs and servers are located in Iowa, or that your company only has two employees. For example, if you are selling over the internet, market nationwide, and have customers in California, you may be doing business in California. One commentator has even suggested that merely having computerized information about one California resident is enough to make the statute apply. Risks of Non-Compliance If conducting business in California is really a question of interpretation, you need to assess the risks of interpreting incorrectly to make an educated business decision. Unlike most other recent enacted privacy laws, e.g., the privacy rule under HIPAA covering certain health information or the Gramm-Leach-Bliley Act covering certain financial information, SB 1386 gives customers who do not receive proper notice and are injured the right to sue in civil court for damages. What does this mean? Let's use the state data center break-in as an example. Using data from the Federal Trade Commission on the incidence of and damages from identity theft, almost 5% of the 265,000 state workers whose information was accessed will become victims of identity theft. That means approximately 12,190 of the state workers will be victims of identity theft. At an average cost per victim of $500, total damages will be approximately, on average, six million dollars. Count on a class action lawsuit claiming $6,000,000 in damages, negative publicity, and the costs of defending the suit. In addition, SB 1386 also allows businesses to be enjoined for violations. The statute is unclear as to what precisely this means. Could the government shut down an entire business if it violates SB 1386? The vagueness of the statute suggests yes, but a more realistic interpretation is that a business that fails to provide the required notice, or plans not to give required notice, can be forced to do so by the courts.
We also anticipate that the notice requirements of SB 1386 may raise awareness of another section of California's Information Practices Act ("CIPA"), four year old California Civil Code 1798.81. It requires a business to "take all reasonable steps to destroy, or arrange for the destruction of a customer's records within its custody or control containing personal information which is no longer to be retained by the business." While there is no notice requirement in the record destruction statute, it has the same penalties as SB 1386 - civil suit for damages and injunction. The definition of business in the record destruction statute is broad like in SB 1386, but personal information under the record destruction statute is much broader. There is no requirement that the data be computerized. In fact, the records can be in any physical form, on any type of media, and they need not be written. Moreover, personal information includes any information that identifies, relates to, describes, or is capable of being associated with a particular individual. Are you taking "all reasonable steps to destroy" old customer records? If someone receives notice under SB 1386 and retains counsel, do not be surprised when there is a request for information about your record destruction procedures. Compliance - Giving Notice To avoid the class action seeking $6,000,000, you will need to comply with SB 1386. If there is a breach of the security of a computer system, notice has to be given to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The notice needs be made in a reasonable time period after discovery or notification of the breach. Law enforcement is expressly permitted to delay the notice if a determination is made that notification will compromise a criminal investigation. Of course, you would have to first notify law enforcement before you can get the benefit of the delay. Think about this from the perspective of a customer who becomes a victim of identity theft, "You waited three weeks to tell me my personal information was illegally accessed while you were trying to figure out which of the million people in your database were impacted by the hacking. If I had known even one week earlier, I could have gotten fraud alerts on my credit files before the thief opened credit cards in my name." You do not want to litigate what a reasonable time period is. Give the notice as promptly as possible. The California Office of Privacy Protection suggests notice within 10 business days is a reasonable time period. If law enforcement wants you to delay the notice, get it in writing. There are four ways notice may be given under the statute: (i) written notice, (ii) electronic notice, provided the electronic notice is consistent with the federal "e-Sign Act," (iii) notice in accordance with a person's or business' own notice policies under an information security policy in compliance with the timing requirements of SB 1386, or (iv) substitute notice consistent with the SB 1386's requirements.
A word about substitute notice: a person or business only qualifies to use it if they can demonstrate that the cost of providing notice would exceed $250,000 or that the class of persons to be notified exceeds 500,000 or that insufficient contact information is available. With first-class letters costing 37¢ to mail, plus the cost of letters and envelopes, it is easy to imagine mailing letters to 500,000 people costing around $250,000. If at least one of the requirements is met, then substitute notice may be used. Substitute notice requires all three of the following: (1) e-mail notice when the person or business has an e-mail address for the person, (2) conspicuous web site posting of the notice if the person or business maintains a website, and (3) notification to major statewide media. Before We Worry About Giving Notice, What Kind of Information Is Covered by SB 1386? Merely having a person's name does not constitute personal information under the statute. Personal information under SB 1386 consists of two components. The two components are (1) an individual's first name or first initial plus last name and (2) any one of the following three data elements: (i) social security number, (ii) driver's license or California identification card number, or (iii) account number, credit or debit card number, plus any required security code, access code, or password that would permit access to an individual's financial account. Personal information does not include, however, publicly available information that is lawfully made available to the general public from federal, state, or local government records. When Is a Person or Business Exempt from Giving Notice? Is Encryption a Safe Harbor? There are several ways to avoid the notice requirement under SB 1386. Of course preventing unauthorized access is a basic way to avoid the notice requirement. But there are a range of options that may diminish the exposure a person or business faces under SB 1386. First, consider encrypting employee and customer data. Both components of personal information need to be encrypted. SB 1386 does not specify an encryption standard or method. While this is helpful in an evolving marketplace where encryption technology continues to change, it does not give much bright-line guidance to people and businesses trying to comply with SB 1386. Technically, even the most rudimentary data encryption would meet the statutory language. However, current recommendations from various government agencies is to comply with the National Institute of Standards and Technology's Advanced Encryption Standard. A website with more information about the standard appears in the Useful Websites box above. One thing the statute makes clear about encryption is that the data needs to be encrypted; those companies solely utilizing channel encryption would be at risk if someone gained unauthorized access to unencrypted data resident on their systems. Another technique would be to store separately the name component and the data element component. If all an unauthorized user accesses is customer names, there is no notice requirement. If all an unauthorized user accesses is account numbers, there is no notice requirement. This means your system architects and database developers ought to think through reorganizing data structures. If they can separate the two components and only one is accessed in an unauthorized manner, there would be no notice requirement. This is part of the case for maintaining separate servers for each critical element. Remember, however, that SB 1386's notice requirement is triggered if there is a reasonable belief that personal information was acquired by an unauthorized person. So, you will need to be sure that only a subset of the entire data file was accessed if data separation is to be useful at limiting exposure under SB 1386. Depending on the type of business, limiting computerized data to information publicly available from federal, state, or local government records would also avoid the notice requirements. This might be possible for certain marketing companies, depending on the elements of the computerized data. Consider also the volume of data you have. SB 1386 only applies to computerized data. This means hard copies of the data are not subject to the notice requirements of SB 1386 if unauthorized access occurs. This is not a practical solution for most businesses today, but be sure to factor in encryption and security costs when evaluating the efficiencies the latest software or computer system purports to provide. Has a Breach of the Computerized Personal Information Occurred? Finally, the notice obligation under SB 1386 arises only when there is a resonable belief that has been or there actually has been "unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business." This means if you have computerized personal information (whether you own it or license it and wherever such information resides) and someone who is not supposed to gains access to that information, you may have to give notice of the breach to any California residents who are the subject of the computerized personal information. Note, SB 1386 does not limit its application to a customer's personal information; an employee's personal information is also covered. There is also risk for downstream security breaches. Under SB 1386, so long as personal information, when accessed in good faith by an agent or employee of a person or business for purposes of that person or business, is "not used or subject to further unauthorized disclosure." This suggests that a person or business will be liable where access is granted to an agent or employee without care to prevent further unauthorized disclosure. Think about a disgruntled employee with access to your computer system, or worse, with a laptop that has personal information about residents of California on it. If unauthorized access occurs, or you have to reason to believe it occurred, SB 1386 will have been triggered. Under the same logic, consider your independent contractors. Have you outsourced all of your IT functions? Does your contract with them require notice to you in the event of a breach of data security?
Think also about your data destruction procedures. Chances are you have a vender that does document destruction for you. Besides requiring notice from them in the event of a security breach, they should be required to implement security safeguards. In the event of a breach, who is going to pay to send the notice, particularly if fault for the security breach appears to lie with the vender? The CEO's Response You can not believe your ears. Your IT manager is telling you that your brand new web based CRM system may have been breached. The first questions start rolling out, "How long until you can confirm there has been a breach? What server may have been accessed? What information resides on that server? Isn't our data encrypted?" Your outside counsel chimes in, "We already are assembling the security breach business response team in accordance with the company's data security policies and procedures. One of the first items in the procedures is to alert you or the chief privacy officer within 24 hours of becoming aware of a possible breach. We have alerted local law enforcement and the Southern California High Tech Task Force. They are going to work with our IT department to see what sort of tracing can be done. It looks like the log files may have been tampered with. We should know within the next day or two whether or not a breach occurred and what server was targeted. As part of last year's outsourcing, we have an inventory of each server used by our company and the information resident on it so once we identify the server, we will know which information may have been accessed." The IT manager steps in, "We do encrypt all of our sensitive data, including customer and employee names, mailing addresses, e-mail addresses (which we started collecting after we revised our data security policies), social security numbers, drivers license numbers, account numbers, PIN codes, and even transaction histories. We use the latest advanced encryption standard - the Rijndael algorithm with at least 128-bit cipher keys." Back to the outside counsel, "The business response team's next task is to figure out whether a breach occurred. If we are unable to determine for sure, our next step will be to identify what records may have been accessed so we can figure out how many people might need to be notified. The IT manager says that the IT vender is cooperating fully. I reminded them that their contract can be terminated if they fail to cooperate with security breach investigations, and that the longer it takes to figure out the scope of any breach, the larger the damages for which they may liable under their contract. We are reviewing your crimes insurance policy to determine when and if notice needs to be given to the insurer. At this point, we are not sure there has been a 'loss' under the policy." The CEO brings
the conversation to an end: "I want updates at least daily.
I want to know as soon as the team figures out whether a breach
has occurred, whatever the time of day or night. In particular,
they need to figure out whether our encryption has been compromised." Gavin G. Galimi is an attorney with Katten Muchin Zavis Rosenman. Gavin works extensively with software and technology companies across all industries. He is based in the firm's Los Angeles office and can be reached at: 2029 Century Park East, Suite 2600, Los Angeles, California 90067. He can also be reached by telephone and e-mail: gavin.galimi@kmzr.com or 310-788-4732. Katten Muchin Zavis Rosenman (www.kmzr.com) offers integrated, full-service legal capabilities through offices in the nation's largest centers of business, finance, government and technology - New York, Los Angeles, Chicago, Washington, D.C., Charlotte, N.C., Palo Alto and Newark, N.J. The firm's 650 attorneys in more than 60 practice areas are business advisors and advocates for public and private companies - from entrepreneurial, emerging growth and middle market companies to global Fortune 100 companies - as well as government entities and non-profits. © 2004 by Gavin G. Galimi. All rights reserved. This article is not to be construed as legal advice. |
|||||||||||||
|
Site Hosted
by |
