On July 1, 2003, California enacted an electronic data privacy law to protect residents from one of its fastest growing crimes: identity theft. SB 1386 (Civil Code 1798.29) requires businesses to notify California residents if a security breach results in disclosure of personal electronic data. All businesses are subject to this law regardless of size, location, or operations. Business owners should be aware of the problems associated with identity theft, the steps required to comply with SB 1386, and the preventative measures available.
Identity theft is a significant problem to both citizens and financial institutions. The FTC estimates that over 27.3 million Americans have been the victims of identity theft in the past five years. The U.S. financial impact is staggering; in 2002 alone, losses were estimated at $48 billion to financial institutions and $5 billion to victims. The FTC reviewed trends from 214,905 cases reported in 2003, and California accounted for the highest number of incidents (39,452). In 20% of all cases, the source of the information breach involved disclosure of personal data over the internet or other electronic sources. In 55% of all cases, the identity theft resulted in credit card, bank, or loan fraud. Federal and state laws address this growing problem.
The FTC provides some protection by aggressively enforcing existing federal laws. Under the unfair and deceptive trade practices law, a website operator must adhere to the company's own privacy policy or face prosecution for failing to exercise a reasonable standard of care. Reasonable care includes addressing potential system vulnerabilities such as viruses and encrypting personal information so that it cannot be viewed. The FTC recently ordered several large corporation ...