Home
home
 
 
CBA Publications
Latest Banking News
California Banker
Federal PAC Fundraising Guide
Community Banker
Compensation Survey
Corp Governance Bulletins
Grassroots Update
Legislative Summary
Monday Courier
Regulatory Compliance Bulletins
BOLI Resources
   
 

CBA Publications >> CBA Regulatory Compliance Bulletin >> Vol 2002 No.18 November 1, 2002

Vol 2002 No. 18 November 1, 2002

New Bill Requires Notice of Computer Intrusion

A new bill, AB 700, seeks to thwart identity theft by requiring any person or business, including a government agency (hereafter "entity"), that owns or licenses computerized data that includes personal information to notify affected persons of any breach of the security of the data if the data is reasonably believed to have been acquired by an unauthorized person.

According to the author, the idea for the bill was conceived after the hacking of the state's Stephen P. Teale Data Center that resulted in unauthorized access to the personal information of about 265,000 state workers. Affected employees were not notified until almost two months later. The bill does include an important provision supported by CBA making the notification requirement not applicable to the breach of data that is protected by encryption. The bill also supercedes any local rules and ordinances addressing the same subject matter.

The bill applies to any entity that conducts business in California and that owns or licenses computerized data that includes personal information. The notice of breach must be made "in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement [referring to the possibility that immediate notice might impede a criminal investigation] . . . or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system." The bill does not include an affirmative obligation to notify law enforcement before a notice is delivered. A person that maintains information on behalf of someone else must notify the owner or licensee of the information of a breach.

A breach is defined as "an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business." There is some language recognizing that if an employee or agent of the entity inadvertently gains access to personal information in the course of the entity's business, the notice requirement is not triggered as long as the information is not "used or subject to further unauthorized disclosure."

Personal information is defined as an individual's first name (or first initial) and last name and one or more of the following sensitive data: (i) social security number; (ii) driver's license/California ID card number, or (iii) account number (including credit/debit card number) together with a required security code, access code, or password. Personal information does not include publicly available information that is lawfully made available to the general public from government records.

Note that the notice obligation is not triggered where only general identifying information is breached, such as name, address and telephone number but without the sensitive data. Technically, the obligation appears not to apply if only account numbers were breached if they were not associated with the accountholders' names, but this should not be inferred as intended by the drafters. Note also that the bill is silent with respect to the existence of any security protections (such as firewalls) other than the encryption of personal information. As a practical matter, partial encryption of data (presumably of sensitive data) would be sufficient to satisfy the exception.

A notice may be provided in writing, or electronically if consistent with 15 U.S.C. 7001 of the Electronic Signatures in Global and National Commerce Act (known as the ESIGN Act), or pursuant to a notification procedure incorporated in the entity's information security policy as long as the timing requirements are met. Note that use of electronic notices under the ESIGN Act is conditioned upon, among other requirements, consumer consent to the use of electronic communications, notice of the right to receive paper records, and notice of software and hardware requirements.

Certain alternatives for providing notice are available where the compliance cost would be greater than $250,000, the number of affected persons exceeds 500,000, or the entity does not have sufficient contact information. If these conditions exist, the notice may consist of an email, conspicuous posting of the notice on the entity's web site, or notification "to major statewide media."

The bill becomes effective on July 1, 2003. Questions regarding this bill may be addressed to James Clark, CBA's lead lobbyist on this bill, or Pat Zenzola, at 916-441-7377 x209 and x210, respectively.

The information contained in this CBA Regulatory Compliance Bulletin is not intended to constitute, and should not be received as, legal advice.  Please consult with your counsel for more detailed information applicable to your institution.
   

CBA Regulatory Compliance Committee

Patricia A. Cantu (Chair), Mary Lou Bonkofsky, Janet Bonnefin, Lyndon Christensen, James Curtis, Vira Jo Denny, Michael Hood, Jeri Killian, Lynn Lawrence, Stuart J. Lehr, Garry Prosperi, Thomas E. McCullough, James Rockenbach, Christine Scott, Deborah Thoren-Peden, James Thvedt and Meg Troughton

Leland Chan, General Counsel
California Bankers Association 201 Mission Street Suite 2400 San Francisco California 94105-1839 
Tel (415) 284-6999ext. 214, Fax (415) 284-1521 
E-mail: lchan@calbankers.com

 

 

Return to top