California s New Hacker Disclosure Law and its Potential Impact on Canadian Businesses

Transcription

1 Reprinted from The Lawyers Weekly, August 15, 2003 California s New Hacker Disclosure Law and its Potential Impact on Canadian Businesses Berkley D. Sells Fasken Martineau DuMoulin LLP A California law which came into effect on July 1, 2003 requires businesses to notify their customers if a hacker has gained access to unencrypted personal information. The statute does not impose monetary penalties. However, businesses that fail to comply, or that try to conceal data theft, could be exposed to costly litigation including class-action lawsuits. The reporting requirements in the California law will impact on many Canadian businesses and may cause some Canadian businesses serious problems both because online transactions typically travel through a host of intermediaries (often situated in California) and because it may be impossible for a Canadian business to know if a given customer is a California resident. Canadian businesses may be obliged to elect to notify all their customers so as to avoid breaching the California law (e.g., by inadvertently failing to disclose a security breach to a California resident). The Problem Poor security for electronic data is regarded as a major factor in the increasing incidence of one of the fastest growing crimes in North America: identity theft. The U.S. Justice Department has estimated that as many as 700,000 people may be victims of identity theft each year. In July 2003 an industry analyst estimated that as many as 7 million U.S. adults, or 3.4 percent of U.S. consumers, were victims of identity theft in the previous 12 months. Criminals steal personal information, often electronically, and then use the information to open credit card accounts, write cheques, buy cars, and commit other financial crimes. Credit card transactions, magazine subscriptions, telephone numbers, real estate records, automobile registrations, consumer surveys, warranty registrations, credit reports, and internet web sites are all fertile sources of personal information and form the basic source material for identity theft. Existing law both in the United States and in Canada addresses the maintenance and dissemination of personal information by businesses. California is perhaps on the forefront of North American jurisdictions in legislating with respect to these issues and specifically with respect to electronic identity theft. Existing California law provides, for example, that a business must take steps to promptly destroy records that contain a customer s personal information. Civil remedies are already available for violations of these provisions.

2 California s Solution The newly enacted California law goes much further to address unauthorized access to personal information. The new law requires a state agency, a person or a business that conducts business in California and that owns or licenses computerized data that includes personal information, to disclose (in specified ways) any breach of the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The law permits the required notifications to be delayed if a law enforcement agency determines that it would impede a criminal investigation. The new law, Bill Number SB 1386, amends section of California s Civil Code (and renumbers it ) to provide, among other things that any customer injured by a violation may institute a civil action to recover damages and that injunctive relief is also available. The bill also adds a new section ( ) to the Civil Code which, among other things, requires (i) mandatory disclosure of security breaches (ii) in a timely and (iii) prescribed fashion. Dealing with each of these elements in turn: Mandatory Disclosure Any person that conducts business in California, and that owns or licenses computerized data that includes personal information, must disclose any security breach to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The full ambit of this requirement is uncertain and it has not yet been considered by the Courts; however, it has the potential to significantly impact on many Canadian businesses. A Canadian business selling goods to a California resident, for example over the internet, would appear to be caught by the provisions of new law. Similarly, where a Canadian company has an internet service provider in California, the Canadian business may also be caught by the broad wording of the law. The reality of North American free trade means that many Canadian businesses conduct at least some business in California and therefore must now be alert to their notification obligations. Timing of Disclosure The required disclosure is to be made in the most expedient time possible and without unreasonable delay but is subject to the needs of law enforcement or measures necessary to determine the scope of the security breach and to restore the reasonable integrity of the system. Form of Notice Notice may be provided by one of the following methods: (1) written notice, (2) electronic notice, or (3) substitute notice (if the person obliged to give notice demonstrates that the cost of providing normal notice would exceed $250,000.00, or that the affected class of subject persons to be notified exceeds 500,000, or the person or business does not have sufficient contact information). Substitute notice consists of all of the following: (a) notice when the person or business has an address for the subject persons; (b) conspicuous posting of the

3 notice on the web site page of the person or business, if the person or business maintains one; and (c) notification to major Califonia-wide media. Notwithstanding the above prescribed forms of notice, if a business maintains its own notification procedures as part of an information security policy for the treatment of personal information (and is otherwise consistent with the timing requirements of the legislation) then the business is deemed to be in compliance with the notification requirements if the business notifies the subject persons in accordance with its policies. In light of the above, it would be prudent for Canadian businesses doing any business in California to create notification procedures whereby their customers, especially those customers who are California residents or those whose place of residence is unknown, can be given prompt notice in a cost effective fashion (e.g., by ). Definitions The security breaches in issue - or breach of the security of the system in the words of the legislation - are defined as unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business. The term personal information in turn is defined as being an individual s first name or first initial and last name in combination with any one or more of the following elements, when either the name or the data elements are not encrypted: (a) (b) (c) social security number; driver s license number or California Identification Card number; or account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. But personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. Questions There are a number of issues arising from the wording of the law which will have to be judicially considered. For example: (1) just what constitutes conducting business in California is unclear there is no definition of conducts business in California. It seems obvious that a business does not have to have a physical office in the state in order to be caught by the provisions of the law. If a business is selling products or providing services to residents of California, it is likely to be considered to be conducting business in California within the meaning of the law;

4 (2) the disclosure obligation is triggered by an incident in which customer data is reasonably believed to have been compromised. Just what is reasonable in the circumstances, and what level of knowledge of the penetration is necessary, is unclear; (3) businesses may delay disclosure to meet the legitimate needs of law enforcement. This, in effect, gives law enforcement officials (presumably Californian or FBI officials but perhaps also foreign law enforcement officials) the ability to exempt a business from its disclosure obligations at least for some period of time. What is legitimate, how long a delay is permissible and who can grant an extension remains unclear. Going Nation-wide? One of California s U.S. Senators, Democrat Dianne Feinstein, has proposed making California s approach to notification of data theft apply throughout the United States in the form of a national Notification of Risk to Personal Data Act. The proposed legislation would: require a business or government entity to notify an individual when there is a reasonable basis to conclude that a hacker or other criminal has obtained unencrypted personal data maintained by the entity; define as personal data an individual s Social Security number, driver s license number, state identification number, bank account number, or credit card number; subject entities that fail to comply with fines by the Federal Trade Commission of $5,000 per violation or up to $25,000 per day while the violation persists (State Attorneys General can also file suit to enforce the statute); and allow California s new law to remain in effect, but preempt conflicting state laws, so as not to put companies in a situation that forces them to comply with the notification laws of 50 different states. Conclusions The message from California s new law is clear: information security is no longer simply a matter for the information systems department or computer experts. Today, securing personal information rises to the level of senior management s responsibility. Businesses, including Canadian businesses, that ignore security breaches, or seek to cover them up, are inviting litigation. In addition, the California law may create a potential public relations disaster for a business. Repeated notice of security breaches will undermine customers confidence and it is not merely actual compromises of information which must be reported but also suspected compromises. Large organizations, such as banks, are frequent targets of hackers. Moreover, once a company has publicly disclosed a hacking incident it may prompt other hackers to also attempt to

5 penetrate the company s system, prompting yet more notices and a potentially viscous spiral of incidents and disclosures and perhaps also lawsuits. Given that Californians are regarded by some as being as litigious, and given the aggressive nature of the plaintiff s bar in that state, the law could open the floodgates to litigation including of course class actions. Even nuisance litigation can cause serious disruption and considerable cost. Every Canadian business would be well advised to reflect on the extent to which it conducts business in the state of California, the quality of its data security efforts and how it will be impacted by California s new legislation. About the Author: Mr. Sells is a litigation lawyer in the Toronto office of Fasken Martineau DuMoulin LLP and has often acted as counsel in disputes involving computer and internet issues and electronic evidence. This article is intended to provide brief general information and does not constitute legal advice. Readers are encouraged to speak with legal counsel, in particular counsel qualified to give advice as to California law, in order to determine how the issues discussed above may apply to their particular situation.