Insights
Batteries and Flashlights Insufficient: Compliance with the Hurricane of Privacy Legislation
September 6, 2011As summer drew to a close, Eastern seacoast residents scurried to secure their homes with batteries and flashlights as Hurricane Irene approached. We are in the midst of another storm: a legislative storm related to consumer privacy and data breach. Businesses need to adapt a proactive approach. They need to have all their supplies on hand well in advance so they can comply with the onslaught of impending legislation without compromising their legal status and creating a public relations nightmare.
On August 31, 2011 California amended its consumer data breach notification statute. With Senate Bill 24, California legislators approved an amendment requiring that entities provide more detailed information to consumers who have been the subject of a security breach.
The new law, which goes into effect on January 1, 2012, requires businesses to notify consumers in plain language of the following information:
• The entity’s name and its contact information
• A specific description of what personal information escaped security
• The date of the breach. An approximate date is acceptable if the precise date is unknown.
• If law enforcement investigation caused a delay in consumer notification, an explanation should be given.
• Contact information for major credit reporting agencies, if the breach involved social security, driver’s license, or California identification card numbers.
The amendments suggest, but do not require, that the business explain to consumers what measures it has taken to protect affected consumers and recommendations on how consumers can protect themselves.
The law also provides that if the data breach affects over five hundred California consumers, the entity should submit electronically a copy of the consumer notification to the California Attorney General.
PLAN OF ACTION NEEDED
We can expect to see more legislation like this in the coming months. Of course, we must keep a close eye on developments in Congress, where multiple bills have been introduced seeking to establish federal standards for data breach notification.
With a maze of legislation developing, businesses need to review their data encryption procedures, their crisis intervention procedures, and their consumer notification procedures. Large or small, all businesses need to assemble a data security team that includes their information technology personnel, their public relations agencies, and their legal advisors. This team should be creating preventive policies as well as emergency coping plans. Otherwise, a business could find itself in the eye of a storm.