New CA Security Breach Reporting Law
Will Have Nationwide Impact
SAN FRANCISCO, CA -- June 30, 2003 -- A new California law that
becomes effective on July 1, 2003, referred to as Senate Bill 1386,
is likely to have a significant impact on the information security
practices of companies doing business in California, including virtually
all sectors of the healthcare industry. Although many healthcare
organizations are currently preparing for the April 2005 compliance
date of the final Security Rule, SB 1386 will cause many organizations
to take immediate steps to strengthen security practices, particularly
with respect to security incident response procedures.
WHAT DOES THE NEW LAW REQUIRE:
The law requires any person or business conducting business in
California to report any breach of security resulting in the disclosure
to an unauthorized person of personal information in electronic
form. SB 1386 only applies to security breaches involving the personal
information of California residents.
Because national companies typically do not segregate data regarding
California customers from other customer or employee data, SB 1386
will affect organization-wide security practices. For example, if
a hacker breaches a database maintained in New York by a medical
device manufacturer that contains data regarding California customers,
then SB 1386 may require notification of the manufacturer's customers
in California.
The California law does not apply to personal information that
is encrypted, which may lead to expanded adoption of encryption
for data at rest in a company's systems. The statute does not, however,
require strong encryption or address the appropriateness of particular
forms of encryption.
WHAT IS PERSONAL INFORMATION:
"Personal information" subject to SB 1386 is defined
as an individual's first name or first initial, combined with the
last name, plus any one of the following identifiers: (1) Social
Security number, (2) driver's license number or California Identification
Card number or (3) account number, credit or debit card number,
in combination with any required security code, access code or password
that would permit access to the account. If both the individual's
name or the accompanying identifiers are encrypted, then the data
does not constitute "personal information."
WHAT CONSTITUTES A SECURITY BREACH:
The law defines a security breach broadly as the "unauthorized
acquisition of computerized data that compromises the security,
confidentiality or integrity of personal information." Good
faith use of the data by a company's employees for business purposes
generally does not constitute a security breach. Particularly troublesome
is the requirement that companies must notify affected individuals
even if it is "reasonably believed" that their personal
information has been acquired by an unauthorized person.
REPORTING A SECURITY BREACH:
In the event of a security breach, a company must disclose the
breach to the California residents whose data has been compromised
"in the most expedient time possible and without unreasonable
delay." The statute does not specify the content of the notice,
but permits notice in written or electronic form.
SB 1386 also permits substitute notice, if it can be demonstrated
that the cost of providing notice exceeds $250,000, or that the
affected class of persons to be notified exceeds 500,000. The onerous
substitute notice provisions require a company to do all of the
following: (1) notify the customer by email, (2) make a conspicuous
posting of the notice on the company's website and (3) provide notice
to major statewide media.
For national companies whose systems have been compromised, one
thing is certain: it would be an exceedingly bad public relations
strategy to notify only California residents of the breach. As a
practical matter, SB 1386 will probably cause many companies to
engage in comprehensive nationwide disclosures in the event of a
security incident.
AN INVITATION TO CLASS ACTION LAWSUITS:
If a business fails to promptly provide the required notices to
individuals after a security breach, any customer injured by the
violation may bring a civil action against the business to recover
damages. Therefore, companies subject to SB 1386 should have security
incident response scenarios prepared, because the law reflects the
realization that the damages resulting from identity theft may be
minimized if individuals have the opportunity to respond quickly.
Unlike HIPAA, which does not provide for a private right of action,
SB 1386 seems to be an open invitation to class action lawsuits
by individuals who have suffered damages arising from identity theft.
While the subject of the California law is the disclosure of security
breaches, SB 1386 implicitly imposes pressure on companies to adopt
appropriate security measures, such as encryption, in order to avoid
the potentially onerous consequences of the law's reporting requirements.
WHAT ARE SOME OF THE ACTIONS THAT HEALTHCARE COMPANIES SHOULD TAKE
TO COMPLY WITH SB 1386?
- Amend your security incident response plan to provide for individual
notification of security breaches (at least with respect to California
residents). If an organization has a security incident response
plan with procedures for notifying individuals whose information
has been compromised, then SB 1386 permits the organization to
utilize its own notification procedures, so long as notification
occurs in the most expedient time possible. An organization's
own notification procedures may be more flexible than the onerous
substitute notice provisions of SB 1386 described above.
- Amend your security incident response plan to ensure that legal
counsel or other appropriate officers are immediately notified
when a security breach is detected. If a security breach is detected
by IT personnel, an organization must be prepared to immediately
begin evaluating whether third-party notifications are required
under SB 1386.
- Identify systems containing personal information and evaluate
logging capabilities that may monitor conduct on the network,
and detect the occurrence and extent of a security breach.
- Evaluate contracts with third parties that involve the transfer
of personal information, to ensure prompt notification of a third
party's security breach involving your data.
FUTURE FEDERAL LEGISLATION?:
SB 1386 was passed in September 2002 in the wake of a much-publicized
computer intrusion into a California state government system that
stored payroll information on 200,000 state workers. Due to nationwide
concerns regarding the proliferation of identity theft, SB 1386
has attracted nationwide attention and may form the template for
federal legislation. Draft legislation being circulated by U.S.
Senator Diane Feinstein (D-CA), known as the Database Security Breach
Notification Act, is modeled on SB 1386 and would extend its reporting
requirements nationwide. It is expected that Feinstein's bill will
be introduced on Capitol Hill in the near future.
|
