United States Cybersecurity Laws – Part II

Data breach incidents have caused a significant amount of complications for business owners and their customers. The statistics show that at least 50% or more of companies have been targeted by hackers. So, the lawmakers have taken steps to promulgate laws to protect the victims and penalize the bad actors.

Data Breach Notification Laws

Every state has some form of data breach notification legislation that requires business owners to give notice to consumers about a data breach that has resulted in the unauthorized acquisition of unencrypted personal information. These laws usually require the business owners to give notice to the consumers in the most efficient manner. They may require the business owners to notify the Attorney General’s office if the business is required to notify a significant number of residents in that state. They also grant a “private right of action” (i.e., the right to file a lawsuit) to the victim in order to seek legal and equitable damages.

In California, the relevant statutes are as follows: (1) Civil Code § 1798.29; (2) Civil Code § 1798.82, et seq.; (3) Senate Bill 1386; (4) Senate Bill 24; (5) Senate Bill 46; (6) Assembly Bill 1710; (7) Assembly Bill 964; and (8) Assembly Bill 1130.  These statutes define “personal information” to include a Social Security number, driver’s license number, credit or debit card number, medical information, health insurance information, and biometric data (e.g., retina, fingerprint, iris image). The rules require entities that do business in the state to take certain steps when dealing with any kind of unauthorized access to encrypted or unencrypted personal information. They require entities that do not own the personal information to immediately notify its owners or licensees. They require notice to be given by either: (1) written notice; (2) electronic notice; or (3) other electronic forms. The notice should include certain information that outlines the incident and explains who, what, when, where, how, or why the data breach took place. In other words, it should include the incident date, the reporting person’s name and contact information, the type of personal information that was accessed without authorization, the date of breach, a description of the breach incident, and a toll-free number for credit reporting agencies (e.g., Equifax, Experian, TransUnion) if the breach incident exposed Social Security numbers, driver’s license numbers, or state identification numbers.

In California, a person or business doing business in the state who owns or licenses electronic information that yields personal information must disclose security breaches. The notification can be delayed if any law enforcement agency decides that it will impede a criminal investigation. The law requires the person or business to provide a written data breach notification that explains what, when, where, how, or why the breach took place as outlined in Civil Code §§ 1798.82, et seq. Moreover, the law requires that a sample of the breach notification that is sent to more than 500 residents be submitted to the State Attorney General.

The Federal Information Security Modernization Act (“FISMA”) imposes certain responsibilities on the federal government. For example, it grants the Department of Homeland Security the authority to administer the implementation of information security policies for non-national security federal Executive Branch systems. This federal statute was passed because it was important to recognize the importance of cybersecurity on the national level. It focuses on strengthening and protecting confidentiality, integrity, and availability of system-related information.

In fact, in the past year, there have been numerous cybersecurity incidents and data breaches across small and large entities. For example, City of Torrance, Wyndham Capital Mortgage, Accident Insurance Company, One Workplace Ferrari, LLC, and U.S. Bank were targeted by hackers.

Our law firm assists clients in matters related to cybersecurity. It’s important to know your legal rights and responsibilities when involved in internet transactions. Please contact our law firm to speak with an internet attorney at your earliest convenience.