|
|
|
|
©
2003 Philip R. Green Law Offices of
Green & Green
Dateline – Sacramento
The law provides for criminal and civil penalties for not sending such notice and the only stated limit on this is if notice might impede a criminal investigation. Of course, such a notice by a well known firm, say a bank or trust company, Title Company or other known entity will potentially get calls from the news media with its attendant bad publicity because of the notice of breach. Therefore this process must be carefully planned ahead, to avoid breaching the law and to maintain market share.
Requiring public notification of security breaches in and of itself will be a sensitive matter for most companies. It is therefore important to understand the law, how it will be implemented and enforced, and how to comply with it.
The legislature makes clear that this is an act targeted primarily at reducing exposure to identity theft. According to its proponents, the notification required by the new law will provide the victims of identity theft with more time to mitigate the damages that can result from an unauthorized acquisition of their personal information.
The statute only vaguely defines what type of security breach triggers the notification requirement. The statute defines a "'breach of the security of the system'" as an "unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business." The duty to notify California residents is triggered upon the discovery of the breach.
NOTE THAT the law does not require notification when either the name portion or the information portion of the personal information has been encrypted. But the statute does not define what standard of encryption is sufficient. The law does not require notification if the unauthorized person who acquires a California resident's personal information is an agent or employee of the information-owning business, the acquisition was in good faith, and the information was not further disclosed.
The notice must be given, “if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person…” of course this includes a person who hacks in, but it also must include people who may have had authorization when they received or handled the data and then lost the privilege by getting dismissed form the company or the like, so frequent today. Thus all companies that have let go employees who had access to personal data need to be sure they do not take any with them. Notice must be given quickly: “The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.”
Privacy has been a hot topic since the first telephone was put into service over 100 years ago. Yet today it seems to take the forefront of many news stories. Privacy in e-commerce is important if such commerce is to flourish as many in government seem to want to see happen. A more informed America is a better America. So, what information is needed to make this law applicable to the database at hand?
The statute provides, “data that includes personal information that the person or business does not own…” so this would be any data that is entered by a customer without notice that the data will be owned by the site owner. It is therefore not data bought from another source, unless the agreement between the source and the buyer is a sale, and not a license to use the data as is frequently the case..
Private information is, “"personal information" means an individual's first name or first initial and last name in combination with… (1) Social security number, (2) Driver's license number or California Identification Card number, (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.” And one element of the information is NOT encrypted. The statute seems to exempt encrypted databases, “when either the name or the data elements are not encrypted:…” then it appears that this might make encrypted data that gets nevertheless hacked, exempt from the notice requirements. Yet the law does not specify any form or type of encryption.
What is not private information under this law is also defined out as follows, “ ‘personal information’ does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.”
Notice may be given by electronic means, probably the least public method of those available. Better for the good will of any company needing give notice. Other methods lend themselves to more publicity including; but email is one of the substitute notice methods that a company must prove could cost over $250,000 or “or that the affected class of subject persons to be notified exceeds 500,000…” Direct mail is another method as is, “Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 of the United States Code [“e-Sign”].”
Read § 1798.82 in its entirety to see whether you need to
be concerned. This is on the Links
page > California Government.
New
California Business & Professions Code § 17529 et seq. is poised to
take effect
Note
the word Unsolicited. This
is a difficult item to prove either way because the consumers for whom this law
was designed to protect, entered their data on a web site usually under notice
of a privacy policy. Did the
consumer opt in to an email list voluntarily or by default?
Did the website user agreement get read when the consumer agreed to
emails? These policies are agreements that the data gatherer makes with the
consumer that the data will be treated in a certain way.
Also many consumers, especially on line or in a purchase on the Internet,
when asked, may give up their email address.
Many credit applications do this. Thus
the consumer may have inadvertently consented (or opted out by unchecking the
box) of an email subscription.
There
are criminal penalties. I quote
verbatim so not to misinterpret what it states.
The recipient of an unsolicited email can recover actual damages (usually
scant) and statutorily mandated liquidated damages of $1000 for each ad is
transmitted in violation of the statute, up to 1 million dollars per incident:
“…a recipient of an unsolicited commercial e-mail advertisement
transmitted in violation of this article, an electronic mail service provider,
or the Attorney General may bring an action against an entity that violates any
provision of this article to recover either or both of the following:
(A) Actual damages. (B) Liquidated damages of one
thousand dollars ($1,000) for each unsolicited commercial e-mail advertisement
transmitted in violation of Section 17529.2, up to one million
dollars ($1,000,000) per incident. (2) The recipient, an
electronic mail service provider, or the Attorney General, if the prevailing
plaintiff, may also recover reasonable attorney's fees and costs.
(3) However, there shall not be a cause of action against an electronic mail
service provider that is only involved in the routine transmission of the
unsolicited commercial e-mail advertisement over its computer network.
(b) If the court finds that the defendant established and implemented, with due
care, practices and procedures reasonably designed to effectively prevent
unsolicited commercial e-mail advertisements that are in violation of this
article, the court shall reduce the liquidated damages recoverable under
subdivision (a) to a maximum of one hundred dollars ($100) for each unsolicited
commercial e-mail advertisement, or a maximum of one hundred thousand dollars
($100,000) per incident.” [Emphasis supplied] .
Anti
Fraud Provisions:
Section
17529.5 provides that the following are also forbidden, putting a dent into the
sale and lease of mailing lists by entities that trade in such lists.
This is designed to keep the spams free of fraud:
“….(a) The commercial e-mail advertisement contains or is accompanied
by a third party's domain name without the permission of the third
party. (b) The commercial e-mail advertisement contains or is
accompanied by falsified, misrepresented, obscured, or forged header
information. This paragraph does not apply to truthful information used by a
third party who has been lawfully authorized by the advertiser to use that
information. (c) The commercial
e-mail advertisement has a subject line that a person knows would be
likely to mislead a recipient, acting reasonably under the circumstances,
about a material fact regarding the contents or subject matter of the
message.”
New
Business & Professions Code Section 17538.45 addresses the situation where someone uses an email system to
broadcast to a large group and thus ties up the system by seems
to be the legislature’s answer to the “e-trespass” cases especially the Hamidi
case (94 Cal.App.4th 325 Cal.App.3.Dist.,2001.) It talks of users of service
providers using email services and computers to send spam.
The statute provides, “…No
registered user of an electronic mail service provider shall use or cause to be
used that electronic mail service provider's equipment located in this state in
violation of that electronic mail service provider's policy prohibiting or
restricting the use of its service or equipment for the initiation of
unsolicited electronic mail advertisements.”
Hamidi
before its reversal had held that a permanent injunction may issue on a theory
of trespass to chattels, even if Intel, whose system was used for tens of
thousands of emails, demonstrate insufficient harm for nominal
damages, it showed Hamidi, a disgruntled ex-employee, was disrupting its
business by using its property. Intel
showed it was hurt by the loss of productivity caused by distracted employees
and by the time its security department spent trying to halt these distractions.
Electronic signals are sufficiently tangible to support a trespass cause of
action. The Supreme Court of
California however reversed this holding without comment, leaving the theory to
the legislature to invent.
They
came up with Section 17538.45. “No
individual, corporation, or other entity shall use or cause to be used, by
initiating an unsolicited electronic mail advertisement, an electronic mail
service provider's equipment located in this state in violation of that
electronic mail service provider's policy prohibiting or restricting the use of
its equipment to deliver unsolicited electronic mail advertisements to its
registered users.”
Mindful
of the 1st amendment, there is a provision that forbids a censorship
by the service providers. “…(d)
An electronic mail service provider shall not be required to create a policy
prohibiting or restricting the use of its equipment for the initiation or
delivery of unsolicited electronic mail advertisements.”
One
should study these new statutes and see whether your clients are or need to be
aware of this. Carriers likewise
need to know and analysis of insurance policies to cover business loss caused by
hackers, infringements and the like should be considered.
Home | Publications
| Legal Trends | How to Reach Us | Links
Search | Contents
We'd like to hear your feedback
![[Spinfinity Web Works]](../img/btn_cir.gif){kind=small} |
![[Spinfinity Web Works]](../img/btn_ie.gif){kind=small} |
Please send your design comments to the Webmaster
www.iplegal.com/contact.html
Back to Top of Page
© Law Offices of Green & Green 2002 All Rights Reserved
![[Law Offices of Green & Green]](../img/logosm.gif)