The Importance Of Encryption ' and Planning

The Law

The rule requires state agencies and businesses that conduct commerce in California to notify California residents that their personal information has been compromised under the following circumstances.

• The information meets the definition of 'personal information' ' that is, information not publicly available, and that consists of the first name or initial and last name of a California resident, and at least one of the following types of information: a) Social Security number; b) driver's license number or a California identification card; or c) an account number, such as for a credit or debit card, and any required security or access code or password that enables access to the account.
• The business owns or has licensed the information.
• The information is unencrypted.
• The business learns that the personal information was 'breached,' meaning an 'unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.'

It is important to note that the law is triggered not only when a breach has been determined, but also if the business is aware of facts that would make it reasonable to believe information security has been breached.

If notice is required under the law, it must be given in writing (on paper or in electronic form consistent with the Federal E-SIGN law), unless any of the following circumstances is present:

• The cost of providing such notice would exceed $250,000;
• The affected class of California residents exceeds 500,000 people;
• The business does not have adequate contact information for the affected class of California residents (if any of these applies, the business may give substitute notice by e-mail, posting notice on its Web site, and notifying all statewide major media in California); or
• The business complies with its pre-existing notification procedures, provided that those procedures allow for notice to be given in the most expedient time possible. If a law enforcement authority determines that notice may impede a criminal investigation, then the notification may be delayed pending approval of the relevant law enforcement authority.

California residents are entitled to enforce this new law in civil actions by seeking an injunction or damages.

Risk All Around

On its face, the law is narrow in application. While the frequency of security breaches is increasing, the vast majority of these would not trigger notice under the new law because they do not involve unauthorized access to unencrypted, sensitive, personal information of the type defined in the law. Moreover, there is at least a strong argument that the law applies only to information in storage, as opposed to information in transit.

Where the law does apply, the effects could be devastating. Companies that fail to give notice ' and that get caught ' will certainly face lawsuits by plaintiffs' lawyers who have a relatively easy burden to show that notice was required and notice was not given; and they could seek high damage amounts. On the other hand, companies that do give notice, and comply with the law, will subject themselves to lawsuits for negligently handling consumers' personal information or for some other theory of liability based in tort, or even in contract.

Cases of this sort will also be attractive to plaintiffs' attorneys because the potential class ' all who received the notice ' will be readily available, even if the lawyers must obtain it in discovery. Again, damages could be quite large when aggregated among hundreds or thousands of consumers.

Risk Mitigation

Here are some tips to help avoid problems with the law.

' Re-examine information security policy now. The California law is only the latest example of the increasing regulation of information security. The Federal Trade Commission (FTC) has brought cases against a number of companies for failing to comply with their own security representations. Having brought those cases, it is only a short step to bringing cases for failing to disclose sub-par security procedures, and the FTC may well bring cases on this theory in the near future. The California law is important in part because it makes having inadequate security procedures a threat right now, even if companies do not make affirmative misrepresentations about their information security practices. The most obvious way to address this is to decrease the likelihood of a breach by developing physical, technical and administrative procedures to protect the security, confidentiality and integrity of consumers' personal information.

Companies affected by the law can use a number of helpful guidelines to establish or benchmark such a program, the best of which is probably the FTC's business guidance manual on its Financial Privacy Safeguards Rule pursuant to the Gramm-Leach-Bliley Act. (See www.ftc.gov/bcp/conline/pubs/buspubs/safeguards.htm.)

' Encrypt! Developing a full-blown security program is no small task. If that cannot be accomplished quickly, then the next best thing to do is to encrypt personal information (as that term is defined in the law) in storage and in transit. This can be accomplished without encrypting all data.

' Establish an internal policy for notice. By establishing an internal policy for providing notice to consumers in the event of a breach of their unencrypted personal information, a company is able to set itself up to give notice on its own terms. The statute appears to require only that the policy provide that the notice be given as soon as possible. Companies may also consider including in the policy a mandate that the company consider referring any breach to law enforcement authorities. This will allow companies a legitimate means of delaying notification until they can get their PR plans together.

Conclusion

The law of information security is developing. It is likely that regulators and class action lawyers will focus first on the most egregious failures to protect consumers' sensitive personal information. The best way for a company to shield itself from liability now is to encrypt personal information and to begin developing a comprehensive information security policy, or of evaluating any existing policy or group of policies.

D. Reed Freeman Jr. is a partner in the competition group of Collier Shannon Scott in Washington, DC. He counsels clients on a wide range of consumer-protection issues, including privacy, information security, advertising and consumer-credit law. He is a member of E-commerce Law & Strategy's editorial advisory board.

California's new security breach disclosure law, SB 1386, codified at Cal. Civ. Code ”1798.29 and 1798.84, went into effect on July 1.

The impact of this law ' on corporate security spending, on the number of disclosures the law triggers and on the use by the plaintiff's bar of these disclosures ' is being carefully monitored by boards of directors, legislators, regulators and other concerned parties nationwide.

A similar bill, introduced by Dianne Feinstein (D-CA) is pending in Congress.

The Law

The rule requires state agencies and businesses that conduct commerce in California to notify California residents that their personal information has been compromised under the following circumstances.

• The information meets the definition of 'personal information' ' that is, information not publicly available, and that consists of the first name or initial and last name of a California resident, and at least one of the following types of information: a) Social Security number; b) driver's license number or a California identification card; or c) an account number, such as for a credit or debit card, and any required security or access code or password that enables access to the account.
• The business owns or has licensed the information.
• The information is unencrypted.
• The business learns that the personal information was 'breached,' meaning an 'unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.'

It is important to note that the law is triggered not only when a breach has been determined, but also if the business is aware of facts that would make it reasonable to believe information security has been breached.

If notice is required under the law, it must be given in writing (on paper or in electronic form consistent with the Federal E-SIGN law), unless any of the following circumstances is present:

• The cost of providing such notice would exceed $250,000;
• The affected class of California residents exceeds 500,000 people;
• The business does not have adequate contact information for the affected class of California residents (if any of these applies, the business may give substitute notice by e-mail, posting notice on its Web site, and notifying all statewide major media in California); or
• The business complies with its pre-existing notification procedures, provided that those procedures allow for notice to be given in the most expedient time possible. If a law enforcement authority determines that notice may impede a criminal investigation, then the notification may be delayed pending approval of the relevant law enforcement authority.

California residents are entitled to enforce this new law in civil actions by seeking an injunction or damages.

Risk All Around

On its face, the law is narrow in application. While the frequency of security breaches is increasing, the vast majority of these would not trigger notice under the new law because they do not involve unauthorized access to unencrypted, sensitive, personal information of the type defined in the law. Moreover, there is at least a strong argument that the law applies only to information in storage, as opposed to information in transit.

Where the law does apply, the effects could be devastating. Companies that fail to give notice ' and that get caught ' will certainly face lawsuits by plaintiffs' lawyers who have a relatively easy burden to show that notice was required and notice was not given; and they could seek high damage amounts. On the other hand, companies that do give notice, and comply with the law, will subject themselves to lawsuits for negligently handling consumers' personal information or for some other theory of liability based in tort, or even in contract.

Cases of this sort will also be attractive to plaintiffs' attorneys because the potential class ' all who received the notice ' will be readily available, even if the lawyers must obtain it in discovery. Again, damages could be quite large when aggregated among hundreds or thousands of consumers.

Risk Mitigation

Here are some tips to help avoid problems with the law.

' Re-examine information security policy now. The California law is only the latest example of the increasing regulation of information security. The Federal Trade Commission (FTC) has brought cases against a number of companies for failing to comply with their own security representations. Having brought those cases, it is only a short step to bringing cases for failing to disclose sub-par security procedures, and the FTC may well bring cases on this theory in the near future. The California law is important in part because it makes having inadequate security procedures a threat right now, even if companies do not make affirmative misrepresentations about their information security practices. The most obvious way to address this is to decrease the likelihood of a breach by developing physical, technical and administrative procedures to protect the security, confidentiality and integrity of consumers' personal information.

Companies affected by the law can use a number of helpful guidelines to establish or benchmark such a program, the best of which is probably the FTC's business guidance manual on its Financial Privacy Safeguards Rule pursuant to the Gramm-Leach-Bliley Act. (See www.ftc.gov/bcp/conline/pubs/buspubs/safeguards.htm.)

' Encrypt! Developing a full-blown security program is no small task. If that cannot be accomplished quickly, then the next best thing to do is to encrypt personal information (as that term is defined in the law) in storage and in transit. This can be accomplished without encrypting all data.

' Establish an internal policy for notice. By establishing an internal policy for providing notice to consumers in the event of a breach of their unencrypted personal information, a company is able to set itself up to give notice on its own terms. The statute appears to require only that the policy provide that the notice be given as soon as possible. Companies may also consider including in the policy a mandate that the company consider referring any breach to law enforcement authorities. This will allow companies a legitimate means of delaying notification until they can get their PR plans together.

Conclusion

The law of information security is developing. It is likely that regulators and class action lawyers will focus first on the most egregious failures to protect consumers' sensitive personal information. The best way for a company to shield itself from liability now is to encrypt personal information and to begin developing a comprehensive information security policy, or of evaluating any existing policy or group of policies.

D. Reed Freeman Jr. is a partner in the competition group of Collier Shannon Scott in Washington, DC. He counsels clients on a wide range of consumer-protection issues, including privacy, information security, advertising and consumer-credit law. He is a member of E-commerce Law & Strategy's editorial advisory board.