California Businesses Are Under Strict Data-Breach Notification Requirements.
Know the facts around notification-requirement laws to protect your business, and yourself as a business owner.
Data breaches continue to impact organizations and individuals alike, and California legislators are doing something about it. New data-breach laws went into effect last year. They apply to any business or individual doing business in the state of California that stores personally identifiable information (PII).
The hope is that early data-breach notification will result in fewer losses. Unfortunately, this can have a negative impact on businesses as they scramble to ensure they’re meeting these new requirements.
Personally Identifiable Information (PII)
Anytime a business maintains PII, they’re under a moral obligation to ensure the tightest possible security at all times. PII classifications are managed by the U.S. General Services Administration (GSA) and apply to government employees, businesses, contractors and individuals who store data digitally.
The definition of PII may require a case-by-case assessment, but generally refers to any information that can be used to trace a specific person’s identity, either by itself, or in combination with other information.
It’s important to note that all data points aren’t required to be in the same location. For instance, information would be personally identifiable if a hacker uncovered data points that could be matched to public information such as phone books, corporate directories and websites. Key data points include:
- Social security numbers,
- Salary information,
- Biometric information
- Passport numbers and data,
- Medical or health insurance information,
- Personally identifiable financial information, and
- Driver’s license numbers.
- Information collected via an automated license plate recognition system
The final point was recently added as a result of the revised legislation. This broadens the responsibilities of California organizations in regard to notifications after a PII data breach.
Nearly 90 percent of clients won’t do business with you again once their personal financial data is compromised.
The Dangers of Data Breaches
One scenario that gets a lot of negative press is credit-card breaches— something that happens on a regular basis. While the majority of credit card companies will cover individuals’ losses as long they report quickly, people typically don’t check their accounts on a regular basis.
With hundreds of millions of records falling prey to cybercriminals on an annual basis, the problem continues to grow. If your business currently accepts credit cards as a method of payment, you must be aware of the potential impact. If you’re storing hundreds or even thousands of records, you’ll face significant liability in the event of a data breach. Liabilities average around $150 per record, per incident.
Who’s Protected by the New Data Breach Laws?
All Californians are protected by the new laws (which went into effect January 1, 2016). While the California Civil Code refers to “clients” or “client records,” there are no limitations beyond this statement— meaning all residents of the state are covered under the same statutes.
While individuals living in other states are not expressly covered by this legislation, they are benefiting from the notification requirements. When an organization is required to notify residents of the state, it’s often easier to notify all clients on the same schedule to minimize confusion.
A Data Breach Defined
The term “data breach” refers to any unauthorized acquisition of digital data that could compromise the integrity, security or confidentiality of PII. The infringement can consist of encrypted or unencrypted data, or a combination of both. Data breaches aren’t always caused by hackers, and can often be the result of internal systems or procedures that aren’t up to security standards.
Data-Breach Notification Requirements
While nearly all states have some form of notification requirements, California’s laws are quite specific and meant to provide the greatest level of protection possible to the consumer. This can make the laws more challenging for businesses to implement, especially since the notification must be made “immediately following discovery,” and when businesses are scrambling to restore operations.
Notification requirements are as follows:
- The notification must be in at least 10-point type, clearly legible and have standardized headings for clarity.
- The type and details of information about the breach, as well as the date the breach occurred and details surrounding the incident, must be provided.
- Detailed contact information for the business that experienced the security incident must be included.
- Information must be provided if active investigations delayed the breach notification.
- Toll-free contact numbers and physical addresses of major credit reporting agencies must be provided. This is most important in the instance of a California ID card or driver’s license number breach.
- Free identity-theft protection should be provided to victims for 12 months following the breach if the notifying organization is found to be at fault.
While California’s laws may seem aggressive, remember that they were put in place to protect innocent individuals.
Protect your organization in San Francisco or the Bay Area from the negative effects of data breaches. Boost security levels with adequate training, stringent security standards, and reliable computer hosting and support. Contact Intivix at (415)-549-9681 or [email protected] to learn more about California’s data-breach notification requirements, and best practices for securing your data.