Data breaches are on the rise. Hackers are constantly probing the networks of financial institutions, retailers and other companies seeking any data that may be of value. Financial institutions are a major target. Not surprisingly, with the rise in the number of data breaches has come an increase in the number of lawsuits filed against companies relating to these breaches. When a company experiences a data breach, it can expect to be named in multiple lawsuits—including class actions—asserting, among other things, that the company was negligent in not preventing the breach.
Data breaches are expensive, and that expense is increasing. Apart from the obvious cost of defending the inevitable lawsuits that follow a breach—Target recently agreed to pay over $40 million to settle one of the data breach class actions resulting from its December 2013 breach—companies that suffer data breaches face costs of securing their networks after the breach, costs of repairing their reputation in the eyes of potential customers, and costs of retaining existing customers. According to a May 2015 study commissioned by IBM Corporation and conducted by Ponemon Institute, the average cost of a data breach has increased 23% since 2013. On average, each stolen customer record containing confidential information costs the company $154 (this is across all industries—the cost per record is likely higher in the financial services industry). The average cost of lost business after a data breach increased from $1.33 million in 2014 to $1.57 million in 2015. The average cost of detecting and mitigating data breaches increased from $.76 million to $.99 million in the last year. Data breaches in the financial services industry are the fourth-most expensive of any industry, behind only breaches in the healthcare, education and pharmaceutical industries in terms of average cost.
With all of this expense, it is obvious that preventing a data breach should be your first priority. This is expensive in and of itself, but the costs pale in comparison to the costs of responding to a breach after the fact. Hiring competent computer security professionals, segregating networks, and requiring good password security practices for all employees is just a start. But suppose, despite taking all the precautions you thought prudent, a hacker still manages to penetrate your company’s computer security and steal valuable customer data. What do you do next?
This article provides a general overview of the requirements of California’s data breach notification law, with which companies must comply when they experience a data breach. Obviously, stopping the leak is priority one. Identifying how the hacker penetrated your network, and stopping the penetration, should happen immediately. But company counsel should understand that data breaches trigger legal obligations of the company as well. And these legal obligations are time-critical. A data breach is not just a technological emergency – it is a legal emergency.
Most states, the District of Columbia and Puerto Rico have enacted laws that require companies – including financial institutions – that suffer a data breach to notify customers of the breach. This means that the days of keeping a breach quiet are over. A data breach will be public and, in some states, must be made public very quickly. California was the first state to enact such a notification statute in 2002 when it enacted California Civil Code Section 1798.82, which applies to any “person or business that conducts business in California, and that owns or licenses data that includes personal information.” Cal. Civ. Code § 1798.82(a).
Under Section 1798.82, when a company experiences “a breach of the security of the system [containing the computerized data that includes personal information in an unencrypted format],” the company must disclose the breach to any customer whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person in the breach. Id. The notification “shall be made in the most expedient time possible and without unreasonable delay.” Id. The only exception to the expedient notification rule involves the time needed to “determine the scope of the breach and restore the reasonable integrity of the data system”, and delay requested by a law enforcement agency if that agency determines that disclosure will “impede a criminal investigation.” Id.
If a company is required to issue a breach notification under Section 1798.82, the notification must be in writing, written in plain language, and must include, among other things, (1) the name and contact information of the company reporting the breach, (2) a list of the types of personal information the company reasonably believes was the subject of the breach, (3) if known, the date, or the estimated date, of the breach, (4) whether notification was delayed as a result of a law enforcement investigation, (5) a general description of the breach incident, and (6) the toll-free numbers of the major credit reporting agencies (if the breach exposed customers’ social security numbers or drivers’ license numbers). Cal. Civ. Code § 1798(d)(2)(A)-(F).
In addition, adding to the cost of the data breach, the company must offer to provide customers whose data was acquired in the breach “appropriate identify theft prevention and mitigation services” at no cost for no less than twelve months, and must notify the customer of the offer in the breach letter. Cal. Civ. Code § 1798.82(d)(2)(G). If a single data breach involves the data of more than 500 California residents, the company is required to provide a copy of the breach notification letter that it sends to its customers to the California Attorney General. Cal. Civ. Code § 1798.82(f). Ensuring that the company will forever live on in data breach infamy, the Attorney General maintains a searchable database containing information regarding all data breaches submitted to them on its website.
Notification letters must be sent to customers extremely soon after discovery of the breach. Accordingly, it is critical that a company that has experienced a data breach hire counsel experienced in privacy and data breach law in order to begin the process of drafting the breach letter immediately after discovery of a breach. Failure to comply with section 1798.82 may result in a civil action—possibly a class action—to recover actual damages suffered by customers as a result of the violation. The breach letter must be carefully drafted to comply with California law, but bearing in mind that litigation is likely coming over the breach, and the breach letter is likely to be Exhibit A in that litigation.
Data breach notification laws have been enacted in most (but not all) states. The European Union enacted a data breach notification requirement in the 2009 Directive on Privacy and Electronic Communications, which had to be enacted into the national law of the EU member states by May 25, 2011. In his 2015 State of the Union address, President Obama proposed a national data breach notification law that would require notification of affected customers within 30-days of a data breach that involved their personal information. While a number of laws have been proposed in Congress, thus far none has passed.
Nonetheless, companies that experience a data breach must comply with a patchwork of state laws regarding notifying customers, including California Civil Code Section 1798.82. A data breach is sure to be costly. But hopefully, by acting quickly to stop the breach, determine its cause, and comply with state data breach notification laws, companies can stop that liability from ballooning.
For more information regarding data breach management or compliance with the data breach notification laws of the various states, including California Civil Code Section 1798.82, please contact Joseph W. Guzzetta at jwg@severson.com.