Issue 77 | May 16, 2003
Do You Do Business With California Residents? Then California Senate Bill 1386 Effects You!
 If your company stores personal data of individuals residing in California on a computer or other electronic storage system, you should know about California Senate Bill No. 1386, which added Sections 1798.29, 1798.82 and 1798.84 to the California Code of Civil Procedure. Section 1798.29 is the substantive section that applies to government agencies that gather data; Section 1798.82 is essentially identical but applies to individuals and businesses; Section 1789.84 provides for damages and injunctions for violation of the substantive sections. The text of the bill is available through the State Senate's website: http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-

Bill 1386, which becomes effective on July 1, 2003, is a new California state law that may dramatically effect your business, even if you do not have offices or employees in California. Passed almost unanimously by the California Senate and Assembly, Bill 1386 was created to address and combat identity theft and ensure that California residents are promptly notified in the event that their personal information is accessed improperly through a security breach.

What is the Effect on Your Company?

Bill 1386 applies to all businesses, non-profit agencies, government agencies and individuals who conduct business in California or own or license computerized data that includes "personal information" of California residents. The Bill applies even if (a) the computer or servers on which the information is stored are not located in California, (b) the computers or servers belong to a third party or (c) the computer or server is not connected to the Internet. Basically, if your company stores the personal information of California residents electronically, the Bill probably applies to you.

What Information is Protected?

The Bill defines "personal information" as an individual's first name or first initial and last name in combination with one or more of the following elements: (a) social security number, (b) driver's license or California ID card number or (c) account number, credit or debit card number in combination with a security, pin or access code, when either the name or the foregoing elements are not encrypted. Personal information does not include information that is made available to the general public from federal, state or local government records.

What Constitutes a Breach?

To trigger obligations under Bill 1386, there must be a breach of a system that exposes "personal information." Thus, it is important to understand what constitutes a breach.

The text of the Bill is not particularly helpful. It states that a breach is any "unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information . . . ." In general, if your company has a policy governing the access to a data source (e.g. Terms of Use), and personal information is accessed in a manner not authorized by the policy, then a breach has probably occurred. Even the unauthorized use of another's user name and password could constitute a breach.

It appears that the obligation to disclose is not triggered if the data that is accessed or stolen was stored in an encrypted form.

What Is Your Responsibility in the Event of a Breach?

A company must disclose the breach to any California resident whose personal information was or was believed to have been acquired by an unauthorized person. The Bill does not state what level of knowledge is required or who must have that knowledge.

Notice may be made (a) in writing or (b) electronically, but only if such electronic notice is consistent with federal law regarding electronic records and signatures.

If a company can demonstrate that the cost of providing notice will exceed $250,000 or that the number of California residents to be notified exceeds 500,000, then it may use a "Substitute Notice" instead of direct mail or electronic notice. Substitute Notice must be made using all of the following: (a) email notice when the company has email addresses for the effected persons, (b) conspicuous posting on the company's website, if it has one and (c) notifying major statewide California media.

If a company already has a policy for notifying customers in the event of a security breach and it otherwise complies with the timing requirements for notice under the Bill, simply following that policy is deemed to comply with the Bill's notice requirements.

The Bill does not set forth any particular criteria for the text of a notice, nor is it clear how quickly a company must act notify its customers of a breach. Notice must occur in "the most expedient time possible and without unreasonable delay." However, companies are permitted to delay notice in order to meet the "legitimate needs of law enforcement." This permits a company to notify the authorities without "tipping off" the law breaker in appropriate instances.

Who Must be Notified?

The Bill only requires notice to be sent to California residents. However, as a practical matter, companies may choose to notify all of the individuals whose personal information is stored on the same system as that of the California residents. A company should determine whether it is able to segregate personal information of its California customers for purposes of notice. Even it if is possible to do this, the company should consider the potential for negative reactions from customers in other states who were not notified of a breach.

What Is the Risk of Noncompliance?

Any customer who is "injured" by a violation of the new law may seek money damages. Companies who do not comply with the requirements of Bill 1386 might therefore be subject to class action lawsuits. Injunctive relief is also available.

What Steps Can You Take Now to Prepare?
  • Be sure that you understand the law. Consult your in-house attorney or Darby & Darby counsel if you have questions.
  • Review your procedures for both intake and storage of personal information.
  • Determine whether your company can detect security breaches and, if so, at what level.
  • Determine whether California customer information can be isolated from other information.
  • Decide which customers you will notify in the event of a breach.

To discuss these issues further or for more information, please contact Eric A. Prager (eprager@darbylaw.com; 212-527-7647) at Darby & Darby PC in New York.

The information contained in this email is provided for informational purposes only and does not represent legal advice. Neither the APLF nor the author intends to create an attorney client relationship by providing this information to you through this message.