Database Security Breaches: Legal Liability

Many businesses compile extensive computer databases of information on their customers. California, for instance, imposes responsibilities on companies of all sizes if there is a breach of the security of that information. While this law has been in force since July 2003, it received widespread publicity only this year, in the wake of security breaches at LexisNexis, ChoicePoint and other companies.

And the recent report of a possible compromise of information among as many as 40 million MasterCard customers demonstrated in frightening clarity the potential for digital data breaches as more and more information is stored and manipulated electronically by more and more people. For many companies, the issue has an impact on operations and marketing, quite aside from the dangers of potential legal liability.

More than ever, e-commerce firms are vulnerable to such problems and would do well to heed counsel's advice to take steps to avoid compromises and legal liability.

Databases and Identity Theft

Many businesses recognize that the data they collect about their customers can be put to profitable use. This can include sales leads for their own products and services, or from the sale or rental of their mailing lists to other companies. At the same time, identity theft has been one of the fastest-growing crimes committed in California, according to the state legislature.

The legislature's goal in requiring companies to notify customers of data-security breaches was to give individuals as much of an early warning as possible when their personal information is placed at risk.

In 2003, a smaller patchwork of laws governing data security grew enormously, on federal as well as state level. Since then, other states have adopted laws requiring notification of lapses in customer data security. Sarbanes-Oxley and Gramm-Leach-Bliley are among the acts of Congress in the field, and the Federal Trade Commission (FTC) and other agencies have promulgated regulations.

In September 2004, California alone enacted four new laws extending privacy protection in the state. The touchstone of regulation remains, however, the California statute from 2003, commonly known as A.B. 1386.

The Requirements

A.B. 1386 applies to all businesses, no matter how small, even if they are not incorporated. It also applies to any company that conducts business with California residents; on the face of it, the statute appears to apply regardless of where in the world an e-commerce company is located.

The personal information protected is any unencrypted computerized record (whether the data is owned or merely is leased by the company) where the person's first name or initial, and last name, are combined with any of the following:

• His or her Social Security Number;
• Driver's license or ID number; or
• Bank account, credit card or debit card number along with the person's PIN number.

The law's requirements are triggered whenever there is a “breach of the security of the system” on which the person's name and any of those numbers is stored. A breach of security occurs whenever the business knows or has reason to believe that an unauthorized person has acquired that information. While the law was designed with online hackers in mind, when read literally its requirements are triggered by breaches as simple as theft of customer data by a fired employee, for example, who walks out of the company premises with the data on a floppy disc.

If a breach occurs, the business must expediently disclose the breach to everyone whose personal information was compromised. Subject to certain exceptions, notice must be provided either in writing or electronically, provided that it complies with federal electronic records and signature requirements.

One of the alternative ways that notice can be provided is where companies have information security policies for the treatment of personal information that include their own notification procedures. So, if a company has a method of communicating with its customers, the law permits use of that method rather than imposing a separate requirement. Notice must, however, still be “expedient.”

The penalty for a company's violation of the new law is that it may be subject to lawsuits from customers for damages suffered. The law specifically preserves, for instance, customers' right to assert other claims as well. One can imagine claims for violation of the law being brought on a class action basis under California's unfair competition law. The California Legislature rejected recommendations that companies should merely contact law enforcement agencies to report breaches of security.

Business Issues and Solutions

This issue may have an impact on companies not only on account of potential legal liability for noncompliance, but also in its affects on operations and marketing. If a company is moving its customer communications more toward the Internet, and its strategy is premised on the economics of that, then the company can ill afford to have a perception arise that those who buy from the company risk becoming the victims of identity theft. Banks have been especially careful about this issue, for obvious reasons.

Companies also must consider how to coordinate the new requirements with existing requirements, such as those of the Children's Online Privacy Protection Act (COPPA) and industry-specific laws, such as those governing privacy of medical records. There are some technological measures that companies may be able to take in response to these problems. One is that since A.B. 1386 applies only to “unencrypted” information, in some circumstances companies can encrypt their databases. Another development is that enterprise incident response technology employed on a network now allows companies to monitor and evaluate the existence and severity of security breaches, and to coordinate issues arising under A.B. 1386 with other legal requirements.

Out-of-state companies who have some California customers have to make a choice, as so starkly illustrated by the ChoicePoint case. They can attempt to identify separately their California customers in complying with A.B. 1386, or they can make compliance with California's requirements part of companywide information security policies for all of their customers.

Many smaller companies (and even not-so-small companies) employ an outsourced managed hosting service. Those companies should verify that their contracts with the outside service, as well as the procedures employed by the service, require the service firm to notify the company if there has been a security breach affecting the company's customer information.

Last, and certainly not least, a company would do well to consider whether its insurance policies cover electronic commerce incidents of this type.

Alan J. Haus is a partner in the San Francisco office of Lewis Brisbois Bisgaard & Smith LLP, where he practices intellectual property law. You can reach Haus at [email protected]. The firm is on the Internet at www.lbbslaw.com/index.asp.

Many businesses compile extensive computer databases of information on their customers. California, for instance, imposes responsibilities on companies of all sizes if there is a breach of the security of that information. While this law has been in force since July 2003, it received widespread publicity only this year, in the wake of security breaches at LexisNexis, ChoicePoint and other companies.

And the recent report of a possible compromise of information among as many as 40 million MasterCard customers demonstrated in frightening clarity the potential for digital data breaches as more and more information is stored and manipulated electronically by more and more people. For many companies, the issue has an impact on operations and marketing, quite aside from the dangers of potential legal liability.

More than ever, e-commerce firms are vulnerable to such problems and would do well to heed counsel's advice to take steps to avoid compromises and legal liability.

Databases and Identity Theft

Many businesses recognize that the data they collect about their customers can be put to profitable use. This can include sales leads for their own products and services, or from the sale or rental of their mailing lists to other companies. At the same time, identity theft has been one of the fastest-growing crimes committed in California, according to the state legislature.

The legislature's goal in requiring companies to notify customers of data-security breaches was to give individuals as much of an early warning as possible when their personal information is placed at risk.

In 2003, a smaller patchwork of laws governing data security grew enormously, on federal as well as state level. Since then, other states have adopted laws requiring notification of lapses in customer data security. Sarbanes-Oxley and Gramm-Leach-Bliley are among the acts of Congress in the field, and the Federal Trade Commission (FTC) and other agencies have promulgated regulations.

In September 2004, California alone enacted four new laws extending privacy protection in the state. The touchstone of regulation remains, however, the California statute from 2003, commonly known as A.B. 1386.

The Requirements

A.B. 1386 applies to all businesses, no matter how small, even if they are not incorporated. It also applies to any company that conducts business with California residents; on the face of it, the statute appears to apply regardless of where in the world an e-commerce company is located.

The personal information protected is any unencrypted computerized record (whether the data is owned or merely is leased by the company) where the person's first name or initial, and last name, are combined with any of the following:

• His or her Social Security Number;
• Driver's license or ID number; or
• Bank account, credit card or debit card number along with the person's PIN number.

The law's requirements are triggered whenever there is a “breach of the security of the system” on which the person's name and any of those numbers is stored. A breach of security occurs whenever the business knows or has reason to believe that an unauthorized person has acquired that information. While the law was designed with online hackers in mind, when read literally its requirements are triggered by breaches as simple as theft of customer data by a fired employee, for example, who walks out of the company premises with the data on a floppy disc.

If a breach occurs, the business must expediently disclose the breach to everyone whose personal information was compromised. Subject to certain exceptions, notice must be provided either in writing or electronically, provided that it complies with federal electronic records and signature requirements.

One of the alternative ways that notice can be provided is where companies have information security policies for the treatment of personal information that include their own notification procedures. So, if a company has a method of communicating with its customers, the law permits use of that method rather than imposing a separate requirement. Notice must, however, still be “expedient.”

The penalty for a company's violation of the new law is that it may be subject to lawsuits from customers for damages suffered. The law specifically preserves, for instance, customers' right to assert other claims as well. One can imagine claims for violation of the law being brought on a class action basis under California's unfair competition law. The California Legislature rejected recommendations that companies should merely contact law enforcement agencies to report breaches of security.

Business Issues and Solutions

This issue may have an impact on companies not only on account of potential legal liability for noncompliance, but also in its affects on operations and marketing. If a company is moving its customer communications more toward the Internet, and its strategy is premised on the economics of that, then the company can ill afford to have a perception arise that those who buy from the company risk becoming the victims of identity theft. Banks have been especially careful about this issue, for obvious reasons.

Companies also must consider how to coordinate the new requirements with existing requirements, such as those of the Children's Online Privacy Protection Act (COPPA) and industry-specific laws, such as those governing privacy of medical records. There are some technological measures that companies may be able to take in response to these problems. One is that since A.B. 1386 applies only to “unencrypted” information, in some circumstances companies can encrypt their databases. Another development is that enterprise incident response technology employed on a network now allows companies to monitor and evaluate the existence and severity of security breaches, and to coordinate issues arising under A.B. 1386 with other legal requirements.

Out-of-state companies who have some California customers have to make a choice, as so starkly illustrated by the ChoicePoint case. They can attempt to identify separately their California customers in complying with A.B. 1386, or they can make compliance with California's requirements part of companywide information security policies for all of their customers.

Many smaller companies (and even not-so-small companies) employ an outsourced managed hosting service. Those companies should verify that their contracts with the outside service, as well as the procedures employed by the service, require the service firm to notify the company if there has been a security breach affecting the company's customer information.

Last, and certainly not least, a company would do well to consider whether its insurance policies cover electronic commerce incidents of this type.

Alan J. Haus is a partner in the San Francisco office of Lewis Brisbois Bisgaard & Smith LLP, where he practices intellectual property law. You can reach Haus at [email protected]. The firm is on the Internet at www.lbbslaw.com/index.asp.