|
|
|
Computer Intrusion Disclosures Mandated by New Law
by Sam Ott, BOL Guru
If a new California law signals a trend, banks and businesses in the future will have no choice about whether or not to disclose to their customers that a computer intrusion has occurred and a hacker may have gained access to customer personal information. The disclosure will be required.
The California law alone has wide-ranging implications because it potentially affects any business which "does business" in California and has customers residing in that populous state.
The legislation, which will be effective July 1, 2003, amends the California Information Privacy Act. Highlights of the law are as follows:
- any person or business that conducts business in California and owns or licenses computerized data is required to disclose to all customers who are California residents any breach of the security of their unencrypted personal information;
- [It also applies to a state agency, and it is believed the well-publicized hack into a California state employee database was at least partly responsible for this new legislation.];
- the disclosure to customers must be made "as soon as possible" after the discovery of the breach;
- a delay in disclosure is allowed only if a law enforcement agency determines the disclosure would hinder a criminal investigation;
- any customer who was injured by the failure to disclose can file a civil suit to recover damages.
A news report speculates it may serve as a national model.
A financial institution or other business that discovers and reports a breach of its computer system that may have allowed the hackers to obtain customer personal information could be sued by its customers individually or in a class action. Under the provisions of the statute, the financial institution is only required to be conducting business in California; it does not have to have an office in the state.
"Personal information" is defined as an individual's first name or initial plus one of the following:
- Social security number
- Driver's license number or identification card number
- Account number, credit or debit card number and any required security code or password that would permit access to an individual's financial account.
Note, the statute specifically relates to the information of an individual, so business customers do not appear to be covered. In addition, personal information that is lawfully available to the general public from government records is excluded from protection. The statute also only applies to unencrypted data.
Under the statute, a "breach of the security of the system" means the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person or business. Keep in mind that this could occur from an outside hacker - or from a dishonest insider.
The required notice must be given in the most expedient time possible and without unreasonable delay. It may be provided by any of the following methods:
- Written notice
- Electronic notice or
- Substitute notice, if the cost of providing the notice would exceed $250,00 or the number of customers to be notified exceeds 500,000 or sufficient contact information is not available
Substitute notice can be delivered by:
- e-mail
- posting on the Web page of the business or
- notification to major statewide media
The law appears to be the first of its kind and due to the influence of California in the computer industry, it may be serve as a model for similar legislation in other jurisdictions.
Copyright, 2002, Bankers Online. First published on BankersOnline.com 11/20/02.
Privacy Policy Disclaimer Recommend This Site ! Contact Us
BankersOnline is a free service made possible by the generous support of our advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all banking professionals. Support our advertisers and sponsors by clicking through to learn more about their products and services.
|
|
|
|
Print Friendly!
Email This Article!
Discuss NOW!