California Disclosure Law Reaches Out to Touch Arizona Companies
The last thing companies want to do if they are unfortunate enough to have been computer-hacked is announce it to the world. Indeed, the most recent FBI survey of corporations and government agencies found that while 90% of respondents had detected breaches in their computer security, only 34% reported those breaches to authorities. But a new California law, slated to take effect this summer, could change all that. And its far-reaching effects would greatly impact Arizona businesses as well.
The new law amends California's Information Practices Act ("IPA"). It now requires a company to notify any California resident whose personal information may have been compromised by a breach in its computer security. Although neither Arizona nor federal law require similar disclosure, the California law has potentially global reach because it applies to any company that conducts business in California. Arizona companies with California customers or employees are likely subject to the IPA.
The changes to the IPA were passed in response to the attack of a government database in California, in which the hackers acquired the personal information of over 250,000 state employees. Identity theft is on the rise nationwide and Arizona currently ranks third in the per capita rate of this crime. In fact, in December 2002, TriWest Healthcare Alliance's Phoenix office was the victim of a low-tech attack, in which the personal information of some 500,000 of its customers was compromised. TriWest Company is now being sued in a class action for unspecified damages.
The new California law's disclosure requirements are triggered only if there has been unauthorized access to a person's name plus either their social security number, driver's license number, or financial account information. Also, the law does not apply if the personal information was encrypted or is available in public records. While this theoretically limits application of the law, the burden is on a company to determine whether it has personal information subject to the law and whether this personal information has been accessed.
Companies may have difficulty complying with the disclosure requirements of the IPA if they have inadequate security systems or incident response procedures. After learning of an unauthorized access of its system, the company must first determine the scope of the breach, i.e., what information or data was accessed by the intruder. The law requires disclosure upon a reasonable belief that personal information was acquired by an unauthorized person. Depending upon the security configuration of its databases, firewalls, and/or intrusion detection systems, determining what information was acquired could be nearly impossible, especially where the access was a mere download of information without any changes to the data itself.
The law does not allow any unreasonable delay in notifying California residents of the security breach. If a company has not instituted an incident response procedure in advance, it may not have the time necessary to remedy the breach, assess the harm, and fully comply with the IPA. Another reason to take action in advance is that companies that have notification procedures as part of an information security policy can comply by following their policy. Without such a policy, the law can require a very expensive or very public disclosure, including conspicuous posting on the company's website and notification to statewide media.
All Stick, No Carrot
Failure to comply with these disclosure obligations can subject a company to civil suit for damages under the IPA. Damage awards could be significant especially if a breached database was large. But in contrast to federal efforts, which encourage disclosure to law enforcement by limiting further dissemination of the information, the IPA provides no positive incentives for a company to disclose an attack. The California law contains no safe harbor provision. Companies that disclose under the IPA still face potential lawsuits for not adequately protecting their data in the first place. Without a safe harbor, companies may resist disclosure because they view it as embarrassing, feel it hurts shareholder confidence, and think it could encourage future cyber-attacks.
The potential for criminal liability is another factor that undoubtedly would give companies pause before disclosing a breach under the IPA. Many, if not most, instances of computer hacking occur from the inside. Hence, law enforcement investigations of corporate attacks almost always start within the company itself. If the hacker was an employee, supervisors and co-workers could find themselves subject to criminal investigation and prosecution. Also, the company itself could be held criminally liable for the actions of its employee in certain circumstances, even if the employee's conduct was against express company policy. Disclosure may unwittingly turn a company from a victim into the target of an investigation.
The goals of the IPA are laudable. We all would want to be notified if a hacker obtained our personal information. But it is not the disclosures required under this California law that are likely to have an effect upon the rate of identity theft. Rather, identity theft could go down if companies choose to allocate more resources toward computer security in response to these new obligations.
Corporate attention to cybersecurity is warranted not only because of the IPA. Federal disclosure legislation in this area is all but inevitable. Plaintiffs have and will continue to bring lawsuits against companies on a host of tort theories for inadequately protecting their privacy and other consequences of computer hacking. If companies do not take cybersecurity seriously, tort suits, future federal efforts, and the disclosure obligations of the IPA will create dilemmas for them that could spread far beyond the borders of California.
Taylor C. Young and Jonathan F. Ariano are associates at the law firm of Osborn Maledon PA. Taylor is a litigator who has published in the areas of law and computer technology. His practice includes intellectual property, criminal defense, and appeals. Jonathan has over 10 years of experience in information technology security. He practices in the areas of business, technology and intellectual property.