Data Breach? React to the Attack
By Matthew A. Cebrian and Brittany W. Yang
Source: Law Technology News- www.Law.com
In today’s digital economy it is relatively impossible for an enterprise to conduct business without collecting, holding, or storing personally identifiable information — names and addresses, Social Security numbers, credit card numbers, or other account numbers — of customers, employees, business partners, students, or patients. Moreover, given recent cyberattacks against Sony, LinkedIn Corp., eHarmony Inc., Last.fm, and Wyndham Hotels, it seems that such attacks are on the rise. While there is relatively little an attorney can do to thwart the malicious keystrokes of a hacker, she can take steps to ensure her clients are prepared to react to an attack. There are a number of state and federal regulations that mandate that certain steps be taken both before and after a data breach, and failing to comply with these requirements could result in substantial liability, as well as a public relations nightmare. A recent lawsuit filed in the U.S. District Court for the Northern District of California raises questions as to whether mere compliance with California’s privacy laws will act to insulate businesses from liability in the event of a breach.
This act is applicable to any individual or entity (corporation) that owns a commercial Web page or an online service that collects and records confidential personal information from an individual living in California, visiting such Web pages. This act, however, is not applicable to ISPs or similar entities who record data upon request from a third party.
Under OPPA, confidential personal information, collected online, includes first and last names, a street address, an email address, a telephone number, a Social Security number, or various other data which allows the tracking of a user. Personally identifiable information can include date of birth, height, weight, etc., when this information is recorded and stored online by the operator in combination with one of the above identifiers. An individual user is one seeking to or acquiring goods or services, money or credit for himself, his family, or his household.
OPPA is enforced through California’s unfair competition law (California Business and Profession Code §17200 et seq.), which provides for civil fines and injunctive relief and may, in certain instances, allow for the recovery of attorney fees. The upside for those who may face liability stemming from a violation of OPPA, or security breaches generally, is that to a large extent, plaintiffs have not succeeded, and courts usually have dismissed the cases because the suing individuals failed to state legally cognizable claims for damages. See e.g.,Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629 (7th Cir. 2007). Thus, while a plaintiff may be able to establish a violation of the statute, his ability to recover is somewhat limited by the lack of a cognizable loss.
California was the first state to adopt a law requiring consumers to be notified in the event of a data security breach. The Data Protection Act, or SB 1386, was enacted in 2002, and became effective July 1, 2003. Not surprisingly, since 2003, at least 46 states have since adopted similar laws.
SB 1386 requires businesses to disclose breaches to affected persons “in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement … or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.”
Section 1798.81.5(a) provides: “A business that owns or licenses personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification or disclosure.”
Section 1798.82(a) of the act states a “person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”
For purposes of this statute, “personal information” is defined as “an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number, (2) driver’s license number or California identification card number, (3) account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account, (4) medical information, or (5) health insurance information.” Notably, §1798.84(b), provides for the right to bring a civil action for violating §1798.82.
The act does not define what constitutes “reasonable security measures,” instead requiring that such measures be commensurate with the type of data being maintained by the business. While this might suggest the law requires businesses keep abreast of current encryption practices, the law itself only applies to unencrypted information. Assuming counsel advise their clients to include encryption as part of their risk management strategy, SB 1386 is a lot of bark without any bite. That said, a recent suit filed against LinkedIn suggests that even encryption software will not prevent liability in the event of a breach.
Given the amount of information that is collected by virtually any commercially viable company in today’s economy, and the rise of the frequency of those attacks being mounted by hackers, it is imperative that businesses and their counsel take steps to stay abreast of the applicable privacy laws and formulate comprehensive risk managements policies to combat this growing threat.