On July 1, 2003, California enacted an electronic data privacy law to protect residents from one of its fastest growing crimes: identity theft. SB 1386 (Civil Code 1798.29) requires businesses to notify California residents if a security breach results in disclosure of personal electronic data. All businesses are subject to this law regardless of size, location, or operations. Business owners should be aware of the problems associated with identity theft, the steps required to comply with SB 1386, and the preventative measures available.
Identity theft is a significant problem to both citizens and financial institutions. The FTC estimates that over 27.3 million Americans have been the victims of identity theft in the past five years. The U.S. financial impact is staggering; in 2002 alone, losses were estimated at $48 billion to financial institutions and $5 billion to victims. The FTC reviewed trends from 214,905 cases reported in 2003, and California accounted for the highest number of incidents (39,452). In 20% of all cases, the source of the information breach involved disclosure of personal data over the internet or other electronic sources. In 55% of all cases, the identity theft resulted in credit card, bank, or loan fraud. Federal and state laws address this growing problem.
In January of 2001, Eli Lilly settled with the FTC after accidentally releasing the e-mail addresses of nearly 700 consumers who were using the company’s anti-depressant Prozac. Seven months later, Microsoft was targeted by the FTC for misrepresenting the security of its “Passport Wallet” web service. More recently, in April of 2004, Tower Records faced allegations for allowing and failing to correct a breach that disclosed consumer information including names, billing and shipping addresses, email addresses, phone numbers, and purchase histories. Under the separate settlement agreements, the three companies were barred from misrepresenting website security and required to implement rigorous programs to prevent future incidents.
California’s SB 1386 takes the FTC’s efforts one step further by requiring companies to notify California residents when a security lapse has resulted in disclosure of personal information so that immediate action may be taken to mitigate damages. In 2002, the California state employee payroll database was breached. Confidential information about 265,000 employees was available to hackers...