Infotech and the Law: New California privacy law has nationwide ripple
- By Devon Hewitt
- Jul 02, 2003
In 2002, hackers broke into a California state payroll database and gained access to confidential personnel data for more than 250,000 employees. The state did not become aware of the security breach for a month and took another two weeks before notifying state employees. On July 1, California Senate Bill 1386 went into effect to decrease the chances of such a crime happening again.
Among other things, the bill requires that Californians get prompt notice regarding disclosures of their confidential personnel information so they can take steps to protect themselves and their assets.
The bill not only applies to state agencies, but also to any person, company or nonprofit organization that conducts business in California and stores personal information about its residents on computers, regardless of whether the person or organization has an office or computers in California.
Personal information is considered to be a resident's first name or first initial, last name and the following: Social Security number, driver's license number or California Identification Care Number. Also included are account, credit or debit card numbers and any required security code, access code or password that would permit access to an individual's financial account.
The name and corresponding information, moreover, must be linked or stored together in the computer system. Personal information does not include that which is publicly available from federal, state or local governments.
The bill requires a person or organization to notify Californians when it is known or reasonably believed that personal information stored on the entity's computer system has been disclosed to an unauthorized source as a result of a security breach. The notice should be given "in the most expedient time possible and without unreasonable delay."
Failure to give the required notice could subject an organization to lawsuits for damages suffered, such as those from identity theft, by people whose personal information was disclosed. The bill also permits courts to enjoin businesses that fail to comply with the law.
There are some exceptions to the notice requirements, the most notable of which is that notice is not required if the disclosed personnel information was at least partially encrypted. Organizations also may not be required to give notice if law enforcement personnel ask that it be withheld so they may pursue an investigation.
Proponents of the bill argue that this provision encourages companies to work with law enforcement earlier in the process, thereby increasing a state's ability to pursue and prosecute hackers. They also contend that the bill will highlight the importance of organizations maintaining a security policy that includes audit and training functions as well as providing notification in the event of unauthorized disclosure.
California is pushing the bill as a model for federal legislation. Under the federal Privacy Act, both federal agencies and government contractors that maintain a "system of records" including personnel information are prohibited from disclosing such information to any unauthorized person or entity. The Privacy Act requires agencies and contractors to establish appropriate safeguards to ensure the security and confidentiality of these records.
If an agency fails to comply with these requirements, and such noncompliance results in an "adverse affect" on a government employee, that employee my sue the agency for civil damages.
The Privacy Act, however, does not yet require an agency or a contractor to notify a government employee upon learning of an unauthorized disclosure. That may soon change. *
Devon Hewitt is a partner of Government Practices at ShawPittman in McLean, Va. She can be reached at firstname.lastname@example.org.