Boomer Bulletin

You are at: Welcome > Library > Boomer Bulletin > 2006 > May > New California Identity Theft Regulation

New California Identity Theft Regulation

May 30 | By Chad C. Coombs and Keenen Milner

IN RECENT YEARS, California has enacted a number of identity theft laws focusing on businesses and the need to protect consumer information at the source. Accordingly, business attorneys need to become familiar with this new legislation in order to protect their firms' client information and to guide clients through the new responsibilities that they face.

The new laws reflect that identify theft is the fastest growing crime in America. In September 2003, the Federal Trade Commission published a survey1 that found that in the past five years, 27 million Americans became victims of identity theft. In the 12 months preceding the survey, identity theft victims numbered 9.91 million. The same survey found that identity theft losses to businesses and financial institutions in 2002 totaled $47.6 billion. To make matters worse, the number of actual crimes may far exceed these statistics, considering that not all victims report the crimes. The two primary locations for identity theft crime are Washington, D.C., and California.

Since technology has made it easy for anyone so inclined to commit identity theft and, in many cases, get away with it, lawmakers have recognized the need to protect the private information that thieves can use to obtain credit in a person's name. This data includes social security numbers, driver's license numbers, and account numbers. In response, California lawmakers have enacted significant new legislation that obligates businesses to adequately protect confidential information, confirm the identity of the persons to whom they extend credit, and notify customers of breaches in security affecting personal information.2

In California, one of the most significant recent laws is Senate Bill 1386.3 The bill, which became effective on July 1, 2003, requires businesses to provide prompt notice to California resident customers of any breach of security involving unencrypted personal data. The law applies to any person or business that does business in California, even if located out of state, and that owns or licenses computerized data that includes personal information. As such, the law is of very broad application.

Notice is required as long as the business reasonably believes that an unauthorized person accessed personal information. Personal information consists of the individual's first and last name (or first initial and last name) along with one of the following: 1) social security number, 2) driver's license or California identification card number, or 3) account number or credit or debit card number if acquired in combination with any required security code that would allow access to the account.4 However, notice is not required if the information is encrypted.5

Notice may be provided in writing or electronically. In addition, the business may be able to use a substitute form of notice if the cost of providing written or electronic notice would otherwise exceed $250,000 or involve more than 500,000 persons.6 Upon demonstrating that either of these conditions apply, the business may notify affected persons by e-mail, conspicuous posting of the notice on a Web site, or notifying media statewide. Businesses should first notify law enforcement agencies of the breach as notice to customers may be delayed if the agency determines that notification will negatively affect a criminal investigation. 

The cost of notifying customers is a major concern to businesses and raises many questions. When does one reasonably believe security has been breached? Did the breach affect all customers or a few? Is notice required to all customers in the database if the business suspects a breach but does not know its extent? The answers to these questions may have to be determined in future court decisions.

Businesses would be ill-advised to take the new law lightly. The bill provides that an injured customer may bring a civil suit for damages and/or seek an injunction in addition to any other rights and remedies the customer may have. Although it may be difficult for an individual customer to trace an identity theft to a leak from a particular business, a business that fails to follow the law and that is exposed for not doing so could face a significant and expensive class action.

California lawmakers also have passed laws requiring businesses to verify the identity of persons seeking credit. Assembly Bill 1610,7 approved July 7, 2003, requires any person who uses a credit report and who determines that the consumer's first and last name, address, or social security number on the consumer's credit application do not match the information shown on the credit report (within a reasonable degree of certainty) to take reasonable steps to confirm that the application is not a result of identity theft. This new law also prohibits any person who uses a consumer report from extending credit (not including increases in open-ended credit plans) if the person has received notice that the consumer has been the victim of theft, unless the person takes reasonable steps to verify the identity of the consumer. Violation of this law is expensive: Consumers are entitled to recover actual damages, attorney's fees, court costs, and punitive damages of up to $30,000 for each violation.

Along the same lines, Senate Bill 25,8 effective July 1, 2004, requires a person who uses—in connection with a loan, purchase, lease, or rental of goods—a consumer credit report that contains a security alert9 to take reasonable steps to verify the consumer's identity. Like Assembly Bill 1610, Senate Bill 25 also does not apply to an increase in existing open-ended credit. The user of the report must take reasonable steps to contact the consumer by telephone if the consumer has requested telephonic verification with the security alert. Senate Bill 25 also limits use of a consumer's social security number. Businesses will no longer be able to print or embed an individual's social security number on a card required for access to the business's products or services. With certain exceptions, such as applications and forms to establish, amend, or terminate an account, a consumer's social security number may not be placed on any documents mailed unless otherwise required by law. Businesses will also be prohibited from requiring anyone to send a social security number over the Internet unless the connection is secure or the social security number is encrypted.

California has also passed legislation restricting use of a person's driver's license information. Effective January 1, 2004, Senate Bill 60210 limits, among other things, a business's use and retention of driver's license or identification card information to 1) verifying age or authenticity of the card, 2) complying with any legal requirement to maintain such information, 3) transmitting the information to a check service company for approval, and 4) collecting or disclosing personal information required to report, investigate, or prevent fraud. A business may not retain such information for any other purpose, and a violation constitutes a misdemeanor punishable by imprisonment of up to one year and/or a fine of up to $10,000.

Another concern is the sharing of non-public information between businesses. Senate Bill 1,11 effective July 1, 2004, limits the ability of financial institutions to sell a consumer's personally identifiable financial information that the financial institution obtains or is created as the result of a transaction with or services provided to the consumer. "Personally identifiable financial information" includes information that a consumer provides in connection with a credit application, account balance and payment information, and information from a consumer report. It also includes information as to a consumer's prior business with the financial institution, information obtained in connection with collecting on or servicing a loan, and information obtained through an Internet cookie or an information collecting device on a Web server.

SB 1 and the GLBA

Senate Bill 1 is intended to afford greater privacy than under the federal Gramm-Leach-Bliley Act. The GLBA requires that financial institutions notify consumers of what information is protected and how the institution will protect and share the information. Under the GLBA, consumers have the right to notify financial institutions that they do not want their personal information shared with entities not affiliated with the financial institutions, although financial institutions may still share such information with its affiliates. In contrast, Senate Bill 1 requires that financial institutions must affirmatively obtain the consumer's written consent before sharing a consumer's nonpublic personal information with nonaffiliated third parties. In addition, Senate Bill 1 provides that a financial institution may not share information with an affiliate unless it annually provides notice of such disclosure to the consumer who does not object. A financial institution may maintain a common computer database with an affiliate and not violate this rule as long as the use of nonpublic personal information is not further disclosed except as otherwise may be permitted.

For the GLBA, "financial institutions" include firms that provide real estate settlement, tax planning, and tax return preparation services.12 While the GLBA does not explicitly exclude law firms, one district court recently ruled that "Congress did not intend for the GLBA's privacy provisions to apply to attorneys who provide legal services in the fields of real estate settlement, tax-planning and tax preparation.…"13 In contrast, Senate Bill 1 expressly provides an exception for professional firms. Specifically, Senate Bill 1 states that a financial institution does not include "any provider of professional services, or any wholly owned affiliate thereof, that is prohibited by rules of professional ethics and applicable law from voluntarily disclosing confidential client information without the consent of the client." Therefore, law firms should find themselves outside the scope of Senate Bill 1.

Senate Bill 1 provides that the attorney general or the regulator with jurisdiction over the financial institution may seek penalties for violations. Financial institutions that improperly disclose or share a consumer's personal financial information are liable for a civil penalty up to $2,500 per violation. If the unlawful disclosure involves more than one consumer but is due to negligence, the civil penalty may not exceed $500,000. However, if the disclosure results in identity theft, the penalties are doubled.

Certain provisions of Senate Bill 1, however, appear to be preempted by the federal Fair and Accurate Credit Transaction Act of 2003 (FACTA),14 which President George Bush signed into law on December 4, 2003. FACTA amends the Fair Credit Reporting Act and provides, among other things, that federal banking agencies must establish guidelines for financial institutions to help prevent identity theft. Specifically, the law's purpose is "to prevent identity theft, improve resolution of consumer disputes, improve the accuracy of consumer records, make improvements in the use of, and consumer access to, credit information, and for other purposes." FACTA limits the extent to which affiliated entities may share personal consumer information for solicitation for marketing purposes. FACTA requires that such sharing be disclosed to consumers and that consumers be given the opportunity to prohibit such sharing. FACTA does not, however, cover sharing with nonaffiliated entities. 

Additional Legislation

The problem of identity theft in California has become so serious that Assembly Bill 1610 and Senate Bills 1 and 25 are not the only laws that have been created to address it. Other recent California legislation includes:

  • Senate Bill 27, effective January 1, 2005, which requires businesses to notify customers of any disclosure of information to a third party for direct marketing purposes.15
  • Assembly Bill 1294, approved September 30, 2003, which prohibits debt collection once the creditor has been provided evidence that the debt is due to identity theft.16
  • Assembly Bill 68, effective July 1, 2004, requiring Web operators to list their privacy policy on their sites and notify users of any third parties who will receive such information.17
  • Assembly Bill 1772, approved July 21, 2003, and Senate Bill 684, approved September 24, 2003, which extend a per-son's right to obtain information on unauthorized loan applications to other types of transactions, namely mail receiving and forwarding services and office or desk rental services.18 Senate Bill 684 also defines "application" and incorporates changes proposed by Senate Bill 602.

Not all the new laws contain specific enforcement provisions or provide a mechanism for consumers to recover damages. For example, neither Senate Bill 1 nor Assembly Bill 68 expressly provide for damages for consumers. Consumers may be able to assert claims for unfair business practices under California Business and Professions Code Section 17200 based on violations of the new legislation. Although this application of the law has yet to be proven, courts have broadly interpreted Section 17200 to provide individuals with causes of action for unlawful practices under civil or criminal federal and state laws.19 However, remedies are generally limited to restitution and injunction.20 Nevertheless, businesses could face expensive class action lawsuits for violating the new laws even if the new laws do not specifically provide for these actions.

Compliance

Since many of the new laws have already gone into effect, law firms and their business clients need to get systems, policies, and procedures in place quickly to protect client and customer information. Compliance with the new laws requires action in three areas: technology, policies and procedures, and training. Three lines of defense, including proactive and reactive tools, should be used to ensure comprehensive protection of information. The most effective strategy is to implement them in the following order, working from inside the company or firm toward the outside.

The first line of defense is encryption. For Senate Bill 1386, even if there is a breach, information that is encrypted is considered protected and no notice is required. As such, one means to avoid liability is to properly encrypt customer information.

All sensitive data should be encrypted, but businesses should choose encryption technology carefully. Although in theory any encryption is breakable by an intruder, the question is, how long is it going to take? If, with all the computing power on earth, it would take 200 years to decrypt the data, for all practical purposes, the encryption code is unbreakable. When implementing an encryption protocol, remember that the greater the strength of the encryption, the longer it will take to decrypt the information. For large amounts of data, the process can be extremely time-consuming and may hinder the efficient conduct of business. Therefore, managers should consider that credit cards, for example, expire in four years, so an encryption code only needs to be powerful enough to protect credit card data for four years plus one day. There is no need to do more.

Working outward from the encryption of core information, the second line of defense is an intrusion detection system, a software solution that continuously monitors the network and computers for breaches. This is a reactive, not proactive, tool that will issue an alarm when an intrusion has been detected. Unfortunately, intrusion detection systems are often not properly deployed, which results in frequent false alarms and endless adjustment, which can be extremely labor-intensive and frustrating.

The third line of defense is firewalls— hardware and software boundaries that prevent unauthorized access to files on the network. They are only effective in combination with encryption and intrusion detection systems. Technology in and of itself, however, cannot protect a business's information from security breaches. In fact, many of the new laws involve the discreet handling of data and verification of identity. Effective protection is accomplished by a combination of technology and policies and procedures. These include technology and personnel matters, including:

  • Rules that restrict access to the server and to certain categories of information to employees who require that access to conduct business.
  • Policies and procedures for encrypting data; when, where, and how to save data; and when and how to purge data.
  • Policies on what information may be obtained and how it may be stored and used, such as the limits on use of social security numbers and driver's license information that are imposed by Senate Bill 25 and Senate Bill 602.
  • Policies on the maintenance and periodic changing of passwords.
  • Disclosure policies for informing customers or clients how their personal information will be used, as is required by Assembly Bill 68 for Web operators and by Senate Bill 27 in the case of information provided to third parties for marketing purposes.
  • Policies concerning information that leaves the business location or that is moved from one office to another on site (disks, thumb drives, laptops, and so on).
  • Policies on granting access to information to third parties, including affiliates, and consideration of whether consumer approval is first required.
  • Procedures for physically safeguarding access to company computers, including personal computers used by company staff. With today's technology, a small monitoring device can be placed on a personal computer without the user's knowledge and collect data for an extended period. These procedures may involve limiting access to the company's workplace in general.
  • Procedures for safeguarding home computers. In many firms and companies, employees take work home or use their home computers to check their company e-mail. If a firm's attorneys work from home via a secure connection to the office, that security is useless unless home computers are also protected from third-party access. The IT departments of many firms and companies have already begun to visit employees' homes to secure computers. In addition, if employees take laptops off site to a client's location or a coffee shop, those laptops must be secured.
  • Policies and procedures on verification of identity as required by Assembly Bill 1610 and Senate Bill 25.
  • Procedures for regular or constant systems monitoring to detect breaches immediately so they can be disclosed to customers or clients.
  • Human resource policies and procedures such as background checks on new hires.
  • Other applicable restrictions, such as limits on debt collection activities against identity theft victims, as provided by Assembly Bill 1294.

Recent Anti-Identity Theft Legislation Affecting Businesses

Senate Bill 1386

Civil Code §§1798.82, 1798.84, 1798.29

Requires notice to California resident customers of any security breach involoving unencrypted personal data.

 
Assembly Bill 1610

Civil Code §1785.20.3

Requires reasonable steps to verify identity of credit applicant if certain information does not reasonably match consumer credit report.

 
Assembly Bill 1772 and Senate Bill 684

Penal Code § 530.8

Extend the right of persons who discover unauthorized loan applications (or similar forms) in their names to obtain information on the unauthorized transaction.

 
Assembly Bill 1294

Civil Code §1788.18

Prohibits debt collection once evidence of identity theft is provided.

 
Senate Bill 602

Civil Code §§1785.11.1, 1785.11.2, 1799.1b, 1798.90.1 et seq. Penal Code §§ 530.6, 530.8 Public Utilities Code § 2891

Limits the use and retention of driver's license or identification card information.

 
Senate Bill 25

Civil Code §§ 1785.11.1, 1785.11.6, 1785.15, 1786.60, 1798.85

Requires resonable steps to verify a consumer's identity if the consumer report contains a security alert limits the use of a consumer's social security number.

 
Senate Bill 1

Financial Code §§4050 et seq.

Limits the ability of financial institutions to share nonpublic consumer information.

 
Assembly Bill 68

Business and professions Code §§22575 et seq.

Requires Web operators to list their privacy policies on their sites and notify users of any third parties who will receive personal information.

 
Senate Bill 27

Civil Code §§1798.83, 1798.84

Requires notice to customers of any disclosure of information to a third party for direct marketing purposes.

Protection is not a matter of technology alone. The best defenses are documented and consistently enforced policies. While it is impossible to develop procedures to address the complexities of every single new law, businesses will need to proceed with caution and common sense: Keep and use only the information that is needed to conduct business, and keep it safe.

Businesses must also adequately educate personnel. Company personnel, especially those accepting or evaluating credit requests, and IT personnel and other staff collecting or handling customer information, must be educated on the new policies to prevent improper extension of credit or acquisition, use, or release of information. For example, the best intrusion detection software is useless if employees release information over the phone to someone they do not know just because the caller has identified himself or herself as "from the phone company" or "from the bank."

Implementation of the procedures necessary to comply with the new laws obliging businesses to protect against identity theft will take teamwork. Management must focus on identity theft. Although the specific departments or individual employees of a firm or company who will be involved with identity theft compliance issues will depend on the size and organizational composition of a business, the IT department will most likely need to take a leadership role. IT professionals are in the best position and are the most skilled to monitor and enforce security. Again, policies and procedures are needed to ensure that IT personnel and other sensitive employees fully grasp the critical need to protect private information and the urgent need to notify the appropriate individuals immediately of any problems with security enforcement or breaches.

Companies with IT departments not prepared to handle the additional burdens of the new laws might decide to outsource some of the functions. It will pay off in the long run to hire IT and security experts to implement the most effective hardware and software solutions and to help develop policies and procedures that support the technology. If a breach has already occurred, computer forensics experts can often follow a trail back to the culprit.

Recently enacted legislation emphasizes the critical need to be proactive about protecting consumer information. As most businesses do not monitor new legislation to consider whether it applies to their companies, it is critical that law firms remain focused on the issue and keep clients apprised of new laws. In addition, law firms will be better able to serve their clients if they are also knowledgeable about technologies that can offer protection from identify theft. In the current climate, it is urgent that all firms and companies enhance their security, with the help of outside IT experts if necessary, and create strong policies and procedures to support the technology solutions.

About the Authors

Chad Coombs is an Attorney and Principal with the full service accounting firm of Grobstein, Horwath & Company LLP.  Chad has a Juris Doctor and Maters in Business Taxation from the University of Southern California, as well as a Masters in Business Administration from the University of Washington.  He is also a CPA.  He formerly practiced bankruptcy law at Strook & Strook & Lavan LLP and Fulbright & Jaworski LLP and was a commercial loan officer.

Practice Areas:

  • Litigation and forensic consulting
  • Bankruptcy, insolvency and turnaround consulting
  • Tax advising in bankruptcy and insolvency matters
  • Tax planning for business transactions

Keenen Milner is the Lead Partner of GHC Information Systems, LLC, information technology advisors.  Kennen is a Computer Forensic Specialist and Technology Consultant providing clients with fully integrated, creative computer solutions.  He assists clients in maximizing performance and lowering operating costs, while ultimately adjusting GHC's services as management evolves.

Certifications:

  • Cisco Certified Network Associate (CCNA)
  • Computer Forensics Professional Certification
  • Microsoft Certified Systems Engineer + Internet (MCSE+I)
  • Microsoft Certified Partner

Practice Areas:

  • Forensics for government agencies (CIA, IRS, Secret Service, FBI, EPA)
  • Forensic analysis of computers
  • Data extraction and data recovery from damaged systems
  • Enhanced external support

Grobstein Horwath & Company LLP, Certified Public Accounts
GHC Information Systems, LLC, Information Technology Advisors
15233 Ventura Boulevard, Ninth Floor
Serman Oaks, CA 91403
Phone: (818) 501-5200 à Fax: (818) 901-9632
Chad C. Coombs ccoombs@horwathcal.com
Keenen L. Milner kmilner@ghcllc.com

Footnotes

  1. See http://www.ftc.gov/os/2003/09/synovatereport.pdf.
  2. Lawmakers have also addressed the need for privacy of personal information in other contexts, for example in the area of medical information, under the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA). For more information, see Alexander S. Gareeb, Practical Implications of HIPAA, LOS ANGELES LAWYER, Apr. 2004, at 12.
  3. Senate Bill 1386 adds Civil Code §1798.29, amends and renumbers former Civil Code §1798.82 as Civil Code §1798.84, and adds Civil Code §1798.29.
  4. CIV. CODE §1798.29(e).
  5. See CIV. CODE §1798.29(a).
  6. CIV. CODE §1798.29(g) (3).
  7. Assembly Bill 1610 amends Civil Code §1785.20.3.
  8. Senate Bill 25 amends Civil Code §§1785.11.1, 1785.11.6, 1785.15, 1786.60, and 1798.85.
  9. Civil Code §1785.11.1 provides that consumers may elect to place a security alert on their credit reports by request to a consumer credit reporting agency, in writing or by telephone. The security alert notifies the user of the report that the consumer's identity may have been subject to identity theft. Civil Code §1785.11.2 provides that a consumer may elect to place a security freeze on the consumer's credit report by making a request in writing via certified mail. The freeze prohibits the consumer credit reporting agency from releasing the consumer's credit report or any information from it without the consumer's express authorization.
  10. Senate Bill 602 amends Civil Code §§1785.11.1 and 1785.11.2, Penal Code §§530.6 and 530.8, and Public Utilities Code §2891. Senate Bill 602 also added Title 1.81.2 to Division 3, Part 4, of the Civil Code (beginning with §1798.90.1) and Civil Code §1799.1b. SB 602 is called the Identity Theft Prevention and Assistance Act.
  11. Senate Bill 1, the California Financial Information Privacy Act, adds Division 1.2, commencing with §4050, to the Financial Code.
  12. 16 C.F.R., pt. 313, §1; New York State Bar Ass'n v. Federal Trade Comm'n, 276 F. Supp. 2d, 110, 119 (D. D.C. 2003).
  13. New York State Bar Ass'n v. Federal Trade Comm'n, U.S. D. for the D. of Columbia, Case No. 02-810(Apr. 30, 2004).
  14. H.R. 2622, Pub. L. No. 108-159.
  15. Senate Bill 27 amends Civil Code §1798.84 and repeals Civil Code §1798.83. Civil Code §1798.84 provides that any customer who is injured as a result of a violation of the title is entitled to sue for damages and a civil penalty of $500 per violation or $3,000 per violation in cases in which the violation is found to be willful. The customer may also seek an injunction and reasonable attorney's fees.
  16. Assembly Bill 1294 adds Civil Code §1788.18. Civil Code §1788.30 provides that any debt collector who violates this title shall be liable to the debtor for actual damages the debtor sustains in addition to a penalty of not less than $100 and not greater than $1,000 and reasonable attorney's fees. The debt collector is not liable if the debt collector shows that the violation is unintentional and occurred despite proper procedures in place to avoid such violation or the debt collector corrects or cures the violation as provided in the statute.
  17. Assembly Bill 68, the Online Privacy Protection Act of 2003, adds ch. 22 (commencing with §22575) to div. 8 of the Business and Professions Code.
  18. Assembly Bill 1772 and Senate Bill 684 amend Penal Code §530.8. In addition, §530.8(d) (2) provides that a victim may bring a civil action for damages, injunctive relief or other equitable relief, plus a penalty of $100 per day of noncompliance and reimbursements of reasonable attorney's fees.
  19. See, e.g., Saunders et al. v. Superior Court of Los Angeles County, 27 Cal. App. 4th 832, 838-39 (1994).
  20. See Cel-Tech Communications, Inc. v. Los Angeles Cellular Tel. Co., 20 Cal. 4th 163, 179-80, 83 Cal. Rptr. 2d 548, 560-61 (1999).