Technology Commentaries California Raises the Bar on Data Security and Privacy

California has recently enacted two landmark pieces of consumer rights legislation, each of which creates new burdens for companies doing business with California residents. The first, Senate Bill No. 1386 ("SB 1386"), requires any company that stores customer data electronically to notify its California customers of a security breach to the company's computer system if the company knows or reasonably believes that unencrypted information about the customer has been stolen. The second, Senate Bill No. 1 ("SB 1"), commonly known as the California Financial Information Privacy Act, creates new limits on the ability of financial institutions to share nonpublic personal information about their clients with affiliates and third parties. This Technology Commentaries provides a brief overview of each of the new laws and what companies should be doing to comply with the new statutes.

Security Breach Statute

SB 1386 obligates companies electronically storing the unencrypted personal information of any California resident to notify such persons of a security breach to the database storing their data. Passed almost unanimously by the California Senate and Assembly and effective July 2003, the statute was created to address one of the fastest growing crimes committed in Californiaóidentity theftóbut it has far broader legal implications.

Specifically, SB 1386, codified as Civil Code ß 1798.82, et seq., requires "any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, [to] disclose any breach of the security systemÖto any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." The statute imposes specific notification requirements on companies in such circumstances. The statute applies regardless of whether the computerized consumer records are maintained in or outside California. As long as a company conducts business in California and owns or licenses computerized data that includes "personal information" (defined below) about residents, it has a legal obligation to notify its California consumers of security breaches to their personal information. The statute thus has broad implications for companies across the United States, and worldwide, if they maintain, own, or license unencrypted computer data containing personal information about California residents.

Consequences of Noncompliance. The statute provides a strong incentive for companies to adopt comprehensive security procedures to limit the vulnerability of their computer systems and to create a plan of action in the event of a security breach. Companies that fail to secure themselves face the cost of notification and the negative impact on image and consumer confidence associated with publicly disclosing a security breach. Moreover, companies face private actions for damages if they fail to notify consumers of a security breach, which could include class actions. The statute also provides that "[a]ny business that violates, proposes to violate, or has violated this title may be enjoined."

"Security Breach" and "Personal Information" Defined. The statute defines "personal information" as an individual's first name or...