CALIFORNIA GOVERNOR SIGNS LEGISLATION REQUIRING NOTICE BE PROVIDED TO CALIFORNIANS OF COMPUTER SECURITY BREACHES

[15222] October 2, 2002 TO: COMPLIANCE ADVISORY COMMITTEE No. 81-02 INVESTMENT ADVISER ASSOCIATE MEMBERS No. 24-02 INVESTMENT ADVISER MEMBERS No. 40-02 PRIMARY CONTACTS - MEMBER COMPLEX No. 80-02 PRIVACY ISSUES WORKING GROUP No. 6-02 SEC RULES MEMBERS No. 84-02 SMALL FUNDS MEMBERS No. 40-02 TECHNOLOGY ADVISORY COMMITTEE No. 12-02 RE: CALIFORNIA GOVERNOR SIGNS LEGISLATION REQUIRING NOTICE BE PROVIDED TO CALIFORNIANS OF COMPUTER SECURITY BREACHES On September 26th, the Governor of California signed into law a bill that will require any person or business that conducts business in California – irrespective of where the person or business is located – to notify California residents of certain breaches in the security of such person’s or business’s computer system.* This new law, which will apply to any breaches occurring on or after July 1, 2003, will require any person or business that conducts business in California and that owns or licenses computerized data that includes personal information to disclose any breach in the security of the data to any resident of California whose unencrypted information was, or is reasonably believed to have been, acquired by an unauthorized person. Notice must be provided as expeditiously as possible, though it may be delayed if the breach has been reported to law enforcement and providing notice to Californians would impede a criminal investigation. As defined in the law, “breach” means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business. Expressly excluded is any “good faith acquisition” of personal information by an employee or agent of the person or business for the purposes of the person or business provided that the personal information is not used or subject to further unauthorized disclosure. “Personal information” is defined as an individual’s first name or initial and last name in combination with any one or more of the following: social security number; driver’s license number or California Identification Card number; or account number, credit or debit * This new law, which is the codification of Senate Bill 1386, imposes a similar duty on agencies of California government to notify in the event of a breach of their computerized data systems. The provisions applicable to persons or businesses can be found in Sections 3 and 4 of the bill. The Institute vigorously opposed this bill when it was considered by the California General Assembly. 2 card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. Personal information does not include any publicly available information that is lawfully made available to the general public from federal, state, or local government records. The law does not define “encrypted.” Though the law is silent on the specific contents of the notice, it does require that Californians be provided the notice by one of the following methods: (1) in writing; (2) electronically, if such notification is consistent with the Federal E-Sign law (15 USC 7001); (3) in compliance with any notification procedures that the person or business has as part of an information security policy for the treatment of personal information, provided that such notice is in compliance with the timing requirements of the law; or (4) by “substitute notice.” Under the law, “substitute notice” can be used by any person or business “that demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000.” [The law does not define whether these standards apply to each instance of a breach or cumulatively in the event of multiple breaches.] Substitute notice shall consist of all of the following: (1) an e-mail notice if the person or business has an e-mail address for the Californian; (2) conspicuous posting of the notice on the Web site or page of the business or person (if it has one); and (3) “notification to major statewide media.” A person or business that violates this law may be subject to an injunction or to a civil action by a customer to recover damages resulting from the violation. A copy of this new law is attached. Tamara K. Reed Associate Counsel Note: Not all recipients receive the attachment. To obtain a copy of the attachment, please visit our members website (http://members.ici.org) and search for memo 15222, or call the ICI Library at (202) 326-8304 and request the attachment for memo 15222. Attachment (in .pdf format)