Privacy and EIM Alert: Data Breach Laws Become Even Stricter For All Companies With California Or Massachusetts Customers Or Users


How can a 21st century U.S. company do its best to comply with data-security-related obligations imposed by the various laws of 46 states? (Only Alabama, Kentucky, New Mexico, and South Dakota have not enacted laws requiring companies to provide notice of a data breach.) A company can implement practices and procedures designed to achieve maximum compliance with the laws adopted by the two states widely acknowledged to impose the strictest obligations: California and Massachusetts. In 2012, in different ways, these two states’ respective regulatory schemes addressing data breaches have become even stricter.

Over the past decade, California has enacted, and then amended incrementally, notice-of-breach laws designed to prevent identity theft. The first of such laws, enacted in 2002, is commonly referred to as S.B. 1386. California’s notice-of-breach statutes, including S.B. 1386, apply to all companies that conduct business in California (as well as to state and local governmental agencies). From day one those statutes, including Cal. Civ. Code § 1798.82, have protected every California resident’s electronic personally identifiable financial information (PII) by requiring notice to the affected individuals whose sensitive PII stored in unencrypted form is hacked, lost or otherwise compromised (a “data breach”).

The geographical location of that information is irrelevant, as is whether the PII possessor outsources storage to a service provider. Thus, the protection cuts a broad swath in the borderless universe of 21st century e-commerce in which most every company stores, or outsources storage of, information on consumers from all over the country. As with the notice-of-breach laws in most other states, California’s statutes have always had an automatic notice trigger once certain PII – a name coupled with other sensitive confidential information – has been compromised. There is no requirement that the company owning the data first assess the extent of the risk of identity theft created by the data breach.

Please see full alert below for more information.

LOADING PDF: If there are any problems, click here to download the file.

Written by:

Published In:

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fenwick & West LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.