Michael Born, Claims Counsel – Media/Professional Insurance
Have you ever been nearly run off the road by some driver who thinks the speed limit is only a suggestion and that he is entitled to take his half of the road out of the middle? Did you say to yourself, “I should really call and warn someone about that idiot before he hurts somebody?” If you do business in California and maintain customer or client information on a computer system, you may now be required to give such a warning when the “road” is the Internet and “that idiot” is a hacker who has just gained unauthorized access to your computer system.
A new law enacted by the State of California and scheduled to become operative on July 1, 2003, will require any person or business that conducts business in California to warn its citizens when their personal information has been accessed by an unauthorized person. The stated purpose of the bill is to require prompt notice to victims of identity theft so that they can act quickly to minimize damage. The California legislation, thought to be the first of its kind, may have been prompted by an incident in April 2002, when hackers broke into the payroll database for the State of California. The state controller’s office failed to notify state employees until two weeks after the break-in was discovered. Although there is no indication that the information gained by the hacker was used illegally, this delay in notice certainly enlarged his window of opportunity to do so, because state employees were unaware of the incident and therefore could not take steps to protect themselves against the misuse of the information.
At the heart of Senate Bill No. 1386 is the following language: Any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
The bill defines “personal information” as any combination of a person’s name in connection with any one of the following: social security number, driver’s license number or any financial account number when combined with the code or password needed to gain access to that account. Once it is learned or “reasonably believed” that there has been unauthorized access to personal information, disclosure must be made “in the most expedient time possible and without unreasonable delay.” Although no specific time frame is set forth in the statute, this language makes it clear that the disclosure must be swift. The specific form of the notice itself varies depending on the circumstances and is set forth in the statute itself or in other laws referenced in the statute.*
Although there are no independent penalties for violation of the statute, anyone injured by a violation may file a civil action to recover damages. Even before this statute was enacted, a consumer damaged by unauthorized access to his personal information could likely file a lawsuit against the business that failed to protect the information, and any additional failure of the business to promptly notify its customer of the unauthorized access would surely be used as evidence against that business. However, the statute mandating prompt notice will certainly increase the likelihood a business that fails to provide such notice will be found liable.
While many may see the California law as burdensome, giving notice to customers as required by the statute is prudent risk management regardless of the law. As uncomfortable as it may be to tell clients that their personal information has been or may have been compromised, such efforts will allow clients to protect themselves from unauthorized use of this information. Ultimately, a savvy client will appreciate the early notice. Furthermore, if a business does all it can to help its client limit any potential damage from unauthorized access to personal information, those efforts will also provide an excellent defense if the customer decides to file suit.
Like any other road, if you know the rules and respect them, the information superhighway can help you get where you want to go. For those who don’t know or choose to ignore the rules, the journey may be a long and expensive one. Have a safe trip.
*For specific advice on how to comply with the California law, consult with your attorney. Also, please note, this article is not meant to suggest that any insurance policy issued by Media/Professional Insurance would provide coverage for any or all claims arising out of or related to unauthorized access to a computer system. Coverage for any particular claim depends on the circumstances of the claim and the language of the relevant policy.