The compliance notifications required by California's privacy law for the unauthorized disclosure of a resident's personal information have, after eight months, caused barely a ripple on the national privacy landscape.
The landmark legislation to combat identity theft known as SB 1386 became effective on July 1, 2003, and is officially known in the state by its moniker from the General Assembly, AB 700. To date, four privacy violations originating in California have spawned notifications required by the law, and only a single notification of California residents has come from another state, according to officials in the state's Office of Privacy Protection. Notices sent to California residents from all sources total fewer than 100,000 so far.
SB 1386 requires companies to notify customers if the companies believe a systems breach has led to the release of personal information. The bill, intended to combat identity theft, defines personal information as data that can identify an individual, such as a Social Security number, phone number, address, birthday, account number or other unique identifier. It defines personal information in a way similar to federal privacy regulations such as the Health Insurance Portability and Accountability Act for health care and the Gramm-Leach-Bliley Act for financial services.
The legislation gave oversight, but not regulatory authority, to the Office of Privacy Protection in the California Department of Consumer Affairs. According to Joanne McNabb, the director of the privacy protection office, the first six months since the bill's effective date were spent working with public and private-sector entities to draft a set of best practices, which were published in October 2003.
"They are not regulations; they are nonbinding best practices" and provide guidelines in three broad areas, McNabb said. The first guideline focuses on how to prevent unauthorized disclosure of personal information. The second provides guidance for "how to properly give notice" and specifies the timing and types of communications channels that should be used. The third guideline includes specific language that should be included in the actual notice.
The lack of enforcement teeth in SB 1386 means there is no requirement to notify the Consumer Affairs Department when an unauthorized disclosure occurs, McNabb said. She receives notice of breaches through ad hoc channels, such as media reporting or word of mouth, after an individual receives a notice.
"Our legislation is slowly making a difference in how organizations protect the sensitive personal info they have in their control," McNabb said. "We rely on the good faith of the organizations involved to follow the law."
Those not complying with the strictures of SB 1386 could face legal action from the California attorney general's office, said Steve Gevercer, a deputy attorney general for legislative affairs. "If we think there's a violation and don't know of any specific injuries, we can bring an action to stop the breach to prevent injuries to protect the public."
Although no noncompliance actions have been filed to date, and none are currently planned, Gevercer said, "we have discretionary civil enforcement powers" and can file civil actions for compliance remedies. The state could also seek civil monetary damages, in addition to any individual awards arising from civil actions authorized in SB 1386.
So far, the law has caused notices to be given by three financial institutions doing business in California and one agency of the state government. Two of the cases involving the financial institutions arose when offices were burglarized and computers containing sensitive information were stolen in October and November 2003. Each of these incidents affected a relatively small number of potential customers whose information was stored in password-protected files.
The third private-sector case arose in January, when tax-reporting information was being printed for personal tax returns. Individual information was merged out of sequence, resulting in dividend information being mailed with improper Social Security numbers for 3,800 bank customers.
The largest notification to date was sent Feb. 11 when the California Employment Development Department sent letters to approximately 55,000 household employees in the state. A hacker had unlawfully accessed a department server containing private information on domestic workers, such as nannies, gardeners and maids. The hacker's primary use of the compromised server seemed to be as a platform for sending spam, according to state officials investigating the incident. The extent of the hacker's access to the private information couldn't be determined.
The only known notice arising from an unauthorized disclosure affecting California residents from out of state occurred in another theft of a computer from a repair shop in Scottsdale, Ariz. The laptop, owned by United Blood Services, contained personal information on 38,000 California blood donors and was taken on Dec. 30, 2003. Notices were mailed Feb. 9, according to the privacy protection office.
There have been other well-publicized unauthorized breaches of private information on a national scale since SB 1386 became effective. For instance, a December 2003 programming error temporarily exposed on the Internet some portions of millions of personal records used by private investigators, law enforcement authorities and credit agencies. These other national privacy breaches either apparently didn't involve any private, unencrypted information of California residents, as defined in the legislation, or the custodians of the information don't know of their notification requirements under the California law.
U.S. Sen. Dianne Feinstein (D-Calif.) introduced a Senate bill in June 2003 that would require identity theft notifications nationally, similar to those specified in SB 1386 (see story). Howard Gantman, a spokesman for Feinstein, said the proposed legislation is awaiting action in the Senate's judiciary committee. So far, no Republican co-sponsors have signed on, a necessary step before the bill can advance to the Senate floor.
Mark Willoughby, CISSP, is a 20-year IT industry veteran and journalist with degrees in computer science and journalism. For the past seven years, he has tracked security and risk management start-ups and is a managing consultant at MessagingGroup, a Denver-based content development specialist.
Compliance Headaches
Stories in this report:
- Compliance Headaches
- Privacy Potholes
- Outsourcing: Losing Control
- Chief Privacy Officers: Hot or Not?
- Privacy Glossary
- The Almanac: Privacy
- The RFID Privacy Scare is Overblown
- Test Your Privacy Knowledge
- Five Key Privacy Principles
- Privacy Payoff: Better Customer Data
- California Privacy Law a Yawner So Far
- Learn (Almost) Anything About Anybody
- Five Steps Your Company Can Take To Keep Information Private