Home | Business News | Browse by Publication | M | Mondaq Business Briefing

What You Should Know About Security Breaches: Notification Requirements, Insider Trading Implications, and Reporting Obligations.

Article Excerpt
The Recent Wave of Security Breaches

Hardly a week passes without a news story about the theft of personal data from the computer database of a major company or organization. In this year alone, the personal information of at least nine million people has been compromised by database breaches at companies that keep such information.

Information security studies have indicated that the number of database breaches has increased recently, along with their frequency, severity, and the costs of responding. One recent survey found that nearly 80 to 90 percent of Fortune 500 companies and government agencies have experienced security breaches. In 2003, California, which leads the nation in privacy protection statutes, enacted a law to address this situation. The California Database Breach Notification Security Act gives individuals early warning when their personal information has fallen into the hands of an unauthorized person so that they can take steps to protect themselves against identity theft or to mitigate the crime's impact. The first of its kind, this law has served as the catalyst for similar legislation enacted in 15 other states, as well as legislation proposals in Congress and the majority of the other states.

California's Security Breach Statute

Requirements. The California security breach statute requires public disclosure of computer security breaches in which the unencrypted confidential information of any California resident may have been compromised. The law applies to any person or entity that does business in California, even if located out of state, and that owns or licenses computerized data that includes personal information.

Security Breach. A "breach of the security of the system" is defined by the statute as the "unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business."

Personal Information. The statute defines "personal information" as an individual's first name or initial and last name in combination with any of the following: the individual's Social Security number; driver's license or identification number; or account number or debit or credit card number, together with any required access code that would permit access to an individual's financial account.

Notification Obligations. A company that has been affected by a security breach must make the disclosure "in the most expedient time possible and without unreasonable delay." Notice may be delayed when a law enforcement agency determines that the notification will impede a criminal investigation.

Notification to affected consumers may be provided in writing or electronically if the electronic notice complies with the Federal Electronic Signature Act. If a company can demonstrate that the cost of providing notice would exceed $250,000, that the affected class of subject persons to be notified exceeds 500,000, or that the company does not have sufficient contact information, then the company can rely on "substitute notice" to comply with its notification requirements. Substitute notice involves the following three actions: (1) e-mail notice when the company has e-mail addresses for the subject persons; (2) conspicuous posting of the notice on the company's web page, if it maintains one; and (3) notification in a major statewide media.

State Legislation Outside California

At the time of enactment, California was the only state requiring disclosure of security breaches involving personal information.1 Consequently, companies that suffered database breaches notified affected individuals in other states voluntarily, amid public pressure and threats from each state's attorney general. Since then, legislation has been proposed in almost every state and in Congress and has been enacted in 14 other states.2 In some respects, the legislation is very similar to the California...