By Stephen E. Hyam |
During the last several years, large businesses and government agencies have fallen victim to electronic data breaches. The names are well-known: Target, Home Depot, Anthem, and the Social Security Administration. While data breaches in big businesses and government agencies garner headlines, small businesses also should determine if their data must be secured. There are a number of different federal and state laws that apply to data privacy and security. This article provides a general overview of one of the major California laws.
Your Business Must Protect Personal Information
Companies conducting business in California are required to disclose a breach to California residents whose unencrypted personal information has actually been or is reasonably believed to have been subject to unauthorized access. Civil Code section 1798.82. Personal information includes either an individual’s first name or first initial and last name in combination with any one or more of the following:
- a) Social security number;
- b) Driver’s license number or California identification card number;
- c) Account number; credit or debit card number in conjunction with any required security code, access code, or password that would permit access to an individual’s financial account;
- d) Medical information;
- e) Health insurance information;
- f) Information or data collected through the use or operation of an automated license plate recognition system; or
- g) A user name or email address, and a password or security question and answer that would permit access to an online account.
Civil Code section 1798.82(h).
This broad definition of “personal information” subjects many businesses to the reporting requirement in the event of a data breach. If the breach affects more than 500 California residents, the reporting requirement includes not only notifying the affected (or believed to be affected) individuals, but also the California Attorney General.
Depending on the data that your business stores, there may be different requirements for privacy, security, reporting, and liability. For example, businesses subject to the Health Insurance Portability and Availability Act of 1996 (HIPPA), have different requirements, which will be the subject of future articles.
Penalties for Data Breach Hit The Bottom Line
Companies that suffer a data breach can incur legal and non-legal damages. On the legal side, the company is exposed to damages from a civil action as well as a potential court order requiring the company to take corrective action. On the non-legal side, business affected by data breaches typically incur costs for investigation and forensic examination of their systems to identify the problem, consultants to help make recommendations to decrease the risk of future breaches, and data monitoring services for those affected. Studies show that business also lose customers.
How To Strengthen Your Data Security
If your business stores protected personal information, there are steps you can take to decrease your risk of data breach:
- The data should be encrypted. Since the California statutory disclosure obligation relates to unencrypted personal information, encryption is an important step in strengthening data security and decreasing liability. California law defines encryption as “rendering the data unusable, unreadable, or indecipherable” to anyone without authorization. Encryption is achieved through security measures that are generally accepted by information security professionals.
- Access to the personal information should be restricted through, for example, company policy and isolating the electronic data. Limiting access to personal information helps lessen the potential for accidental or malicious breaches by employees.
- Implement a document retention policy – and follow it. Consider how long you keep personal information, review the legal standards for retaining that information, and the business reasons to retain records that contain personal information. For example, California law requires that certain employment records be retained for three years, however, the statute of limitations for wage and hour violations can be four years. As a result, we recommend employment records be maintained for at least five years.
- Consider cybersecurity insurance.
Thank you for joining us on ClarkTalk! We look forward to seeing you again on this forum. Please note that the views expressed in the above blog post do not constitute legal advice and are not intended to substitute the need for an attorney to represent your interests relating to the subject matter covered by the blog. You should certainly consult legal counsel of your choice if you have data breach issues. If you wish to consult with the author of this post or another attorney at Clark & Trevithick, please contact Stephen E. Hyam by email at firstname.lastname@example.org or telephonically by calling the author at (213) 629-5700.