Should someone hack or otherwise gain unauthorized access to your business’s computer network where you store personal information about your customers, you may be required to disclose this security breach to the affected individuals. Most states have enacted legislation requiring notification of data breaches involving personal information, and these states have a multitude of different requirements about when and how you must notify your customers. Importantly, failure to notify the affected individuals of a security breach may result in significant penalties and other liability for you or your business.
Kronenberger Rosenfeld can assist in analyzing a breach under a variety of state laws. Notably, the requirements of California's breach notice law are some of the strictest, and these requirements are placed on any person or business that does business in California, which includes most businesses that operate in the United States over the Internet.
When a company suffers a data breach, the consequences can be severe. We focus on thorough factual analysis in the critical hours and days following a data breach so our clients know their potential financial exposure as soon as possible.
The California Database Security Breach Notification Act (“Act”) requires those who own, license, or maintain computerized data that includes “personal information” to disclose breaches of security in certain circumstances.
“Personal information” is any unencrypted information that can be used to identify a person (such as an individual's first name or first initial and last name) in conjunction with any of the following: a Social Security number; a driver's license number or California identification card number; an account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account; or a username or email address in combination with a password or security question and answer that would permit access to an online account.
The Act requires any person or business that owns or licenses computer data including “personal information,” and which is conducting business in California, to notify each California resident of a breach of the security of the data if the individual's private information was, or is reasonably believed to have been, acquired by a person without valid authorization. The Act also requires any person or business that maintains (but does not own) computer data including personal information, to notify the owner or licensee of the information (as opposed to the affected individual/California resident) of a breach of the security of the data if the information was, or is reasonably believed to have been, acquired by a person without valid authorization.
In each instance, the Act requires that notifications be made in “the most expedient time possible and without unreasonable delay.” Cal. Civ. Code § 1798.82(a).
If a data breach involves access to, use or disclosure of patient medical information, then California’s Confidentiality of Medical Information Act and federal law may require reporting within days to government agencies, and may result in significant governmental fines and potential liability from class action lawsuits.
Businesses that experience a breach of security need to take prompt and decisive action to determine whether they need to notify their customers and how to provide the notification. Kronenberger Rosenfeld brings its experience to bear for your company on the issue of breaches of security. You can call us at 415-955-1155, ext. 120, or you can submit your case through our online case submission form.