What Businesses Should Do If Personal Information Is Stolen or Compromised By A Data Security Breach
|Prepared By: Melissa C. Marsh, Los Angeles Business Attorney
Written: June 2007
California Law Requires All Businesses To Provide Prompt Notice of a Security Breach. California Civil Code §§ 1798.80 – 1798.84.
California’s data security breach notification law, codified in Civil Code §§ 1798.82-1798.84, requires companies doing business in California or with California residents to notify residents of a data security breach and unauthorized access to their unencrypted personal information. The notification requirements are triggered when, due to a data security breach, unencrypted data is revealed that includes a California resident's name paired with one of the following pieces of personal information: (1) social security number; (2) driver's license or California Identification Card number; (3) bank account number or credit/debit card number, if in combination with any kind of password or PIN; (4) medical information; or (5) health insurance information. The notification requirements apply to all businesses that conduct business in California, even if the business is incorporated elsewhere and even if the data itself is stored outside California. Companies that fail to properly safeguard personal information, or to notify California consumers of intrusions, can be sued for damages and injunctive relief in civil court. Since, the law exempts personal information that a company has stored in an encrypted format, encrypting data may be the easiest way to comply.
If a breach occurs and the personal information is not encrypted, the business must notify any and all California residents whose personal information was acquired, or is believed to have been acquired "in the most expedient time possible and without unreasonable delay". Typically the law considers 10 days to be within a reasonable time. A short delay may be excused if: (1) a law enforcement agency determines that notification would impede a criminal investigation or (2) the company needs additional time to determine the scope of the breach and restore integrity to their data system.
Notice of Breach should be sent to California residents via First Class Mail, but can also be sent electronically if in compliance with the federal E-SIGN Act, or in accordance with a pre-existing information security policy. "Substitute Notice" is allowed only if the cost of providing notice exceeds $250,000, if more than 500,000 people must be notified, or if the business cannot locate all of the affected individuals. "Substitute Notice” consists of: (i) notice by e-mail; and (ii) notice on the party’s web site; and (iii) "notification to major statewide media…"
Businesses should have systems and procedures in place that dictate how they will effectively and legally respond to a security breach. All business should:
- Assess the feasibility of encrypting all personal information;
- Create a new security policy with notification procedures in the event of a breach, and communicate the new policies and procedures to employees;
- Review their contracts with third parties who have access to the company's customer data to ensure they have sufficient security measures in place (e.g., required encryption), identified procedures to respond to a security breach (mandatory notification provisions), indemnity provisions, and insurance coverage for claims resulting from security breaches; and
- Review insurance policies to determine whether there is coverage for claims related to security breaches, or theft of electronic data.
We are writing to you because of a recent security incident at [name of organization].
[Describe what happened in general terms, specifically what kind of personal information was involved, and what you are doing in response. If the breach does not involve Social Security number, driver’s license/California Identification Card, or financial account numbers, say so.]
To protect yourself from the possibility of identity theft, we recommend that you place a fraud alert on your credit files by following the recommended privacy protection steps outlined in the enclosure.
[Add this paragraph if a credit card or financial account number was involved]
To protect yourself from identity theft, and to help prevent unauthorized access and fraudulent activity on your account, we recommend that you immediately contact [the credit card or financial account issuer] and close your account Tell them that your account may have been compromised, and ask that they report it as "closed at customer request." If you want to open a new account, ask your account issuer to give you a PIN or password. This will help control access to the account.
[Add this paragraph if a California Driver's License or ID number was compromised]
Since your California Driver's License or Identification Card was involved, we recommend that you immediately contact the Department of Motor Vehicles' Fraud Hotline at 1.866.658.5758.
[Add this paragraph if medical information was involved.]
We recommend that you regularly review the explanation of benefits statement that you receive from [us, your health insurance plan, or your health insurer]. If you see any service that you believe you did not receive, please contact [us, your health insurance plan, your health insurer] at the number on the statement [or provide a number here]. If you do not receive regular explanation of benefits statements, contact your provider or plan and ask them to send such statements following the provision of services provided in your name or under your plan number. You may also want to request a copy of your medical records from your [provider or plan], to serve as a baseline.
[Continue with the following.]
You may want to order copies of your credit reports and check for any bills or delinquencies you do not recognize. If you find anything suspicious, call the credit reporting agency at the phone number on the report. You can order your reports from the three credit reporting agencies for free each year by calling 1-877-322-8228, or by going to www.annualcreditreport.com.
You can also contact the three credit reporting agencies directly by calling:
- Trans Union: 1-800-680-7289
- Experian: 1-888-397-3742
- Equifax: 1-800-525-6285
After you receive a copy of your credit reports, review them carefully for: (1) accounts you do not recognize, (2) newly added personal information that does not belong to you (incorrect address or telephone number), and (3) inquiries from creditors that you did not request any credit from. If inaccurate information is presented, or fraudulent credit has been obtained, you should file an identity theft report with your local police department and retain a copy of the report. If you run into problems, Insist they take the report.
If you do not notice any incorrect information on your credit reports, continue to check them periodically.
As stated above, you should also consider either placing a Fraud Alert or Security Freeze on your credit file. A fraud alert will alert potential creditors that you have been a victim of fraud and most will call your listed number to confirm you actually requested the credit. Even if there are no inaccuracies on your credit reports, we strongly suggest you at the very least request a fraud alert to inhibit future criminal activity. A Security Freeze, on the other hand, will prevent anyone from opening any new credit accounts in your name, including yourself.
We regret that this incident occurred and want to assure you that we are reviewing and revising our procedures and practices to minimize the risk of recurrence. Should you need any further information about this incident, please contact [name of the designated agency official or agency unit handling inquiries] at [phone number].
Please keep a copy of this notice for your records to present to a credit reporting agency, health care provider, or the police, if necessary.
If you have any questions, or would like the assistance of business law attorney, Melissa C. Marsh, please call 818.849.5206 or Email firstname.lastname@example.org.
California Business Law attorney, Melissa C. Marsh, is based in Sherman Oaks and West Hollywood, and is available to serve small and midsize businesses throughout Los Angeles County, including: West Hollywood, Miracle Mile, Beverly Hills, Century City, Santa Monica, Burbank, North Hollywood, Valley Village, Toluca Lake, Studio City, Sherman Oaks, Van Nuys, Encino, and Woodland Hills.
© 2007 Melissa C. Marsh. All Rights Reserved.