United States: Data Protection – California’s Long Arm of the Law gets Longer

Early this year Derek Bond really did have a holiday from hell. In February 2003 the 72 year old British tourist was arrested, and held in a South African police cell, on the orders of the FBI who believed him to be a fraudster operating out of Las Vegas. In fact the alleged fraudster in Las Vegas was Derek Sykes. The two men’s names are not similar, nor are their faces, so how did the FBI make such an obvious mistake? Electronic identity theft.

In 2000 the Los Angeles County Sheriff's Department handled 1,932 cases of identity theft. This represented a 108 % increase over the previous year's caseload. The reason for this increase can be attributed to the fact that personal data identifying individuals is now, more of than not, given and stored electronically. From surfing the web or using the cash point to borrowing library books and paying taxes individuals are continually providing their personal information to third parties. This information is then processed and stored electronically.

The electronic storage of personal information is a boon for criminals who steal personal information such as social security numbers and use the information to open credit card accounts, write fraudulent cheques, buy consumer goods, and commit other financial crimes using other peoples’ identities.

In order to limit the potential for identity theft and to alert individual’s to security breaches that may affect them the State of California has passed an amendment to its Civil Code that comes into effect on 1 July 2003. Under the new law, SB 1836, state agencies, businesses and individuals that own or license electronic personal data regarding any resident of California have a duty, in certain circumstances to disclose in a breach of the security of the data.

The reach of the amendment is global affecting any company whether or not it is based in California. However, there are certain criteria that must be met before the obligation to notify arises. The criteria are that the security breach must involve the personal information of a resident of California, i.e., their first name or initial and surname, and one or more of the following pieces of data:

• social security number;
• driver's license number or California Identification Card number;
• an account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

If the above criteria are met the notification requirements will only be triggered in situations in which either the name or the additional data elements are not encrypted.

Where necessary notification to the affected customers must be made in as soon as possible and without unreasonable delay. Notification must be made to the individual and may be made either in writing or electronically, subject to the individual being given the information required under the federal Electronic Signatures in Global and National Commerce Act of 2000 and expressly consenting to the use of electronic notices.

There is a derogation from the requirement to notify each individual where either the cost of providing the requisite notice would exceed $250,000, or the number of people to be notified exceeds 500,000. In instances where the notifying party does not have sufficient contact information for the individual it may provide substitute notice. Substitute notice requires all of the following:

• an e-mail notice to be sent, (if e-mail addresses are available);
• a notice to be posted on the notifying party's web site; and
• notification to major statewide Californian media.