Once again, California is taking the lead on addressing emerging data security issues. Governor Brown is expected to sign into law a new data security breach notification bill (S.B. 46). The bill expands the coverage of California’s existing breach law to include breaches of individuals’ online user names and email addresses, when acquired in combination with passwords or a security question and answers that would permit access to their online accounts.
As I have written before, after conducting the forensic investigation, the next question to address is whether the event will require notification of consumers. The obvious first question is whether the information at issue is covered by the governing statute. i.e., Personally Identifiable Information (“PII”). Stated generally, breach notification laws concern data that includes some combination of personal identifying information (such as name and address) with confidential personal or financial information. The confidential information includes social security numbers, driver’s license or state identification number, account number in combination with a password or security code, medical information, and the like. In the end, only if the incident involves data covered by the notice statute is further analysis even required.
California Civil Code Section 1798.82 already required notice when a security breach occurs involving “an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number. (2) Driver’s license number or California Identification Card number. (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. (4) Medical information. (5) Health insurance information.” Cal. Civ. Code Section 1798.82(h).
S.B. 46 amends Section 1798.82(h) to expand the definition of “personal information” for which breach notification is required. The new law adds to the definition: “A user name or email address, in combination with a password or security question and answer that would permit access to an online account.” In other words, events that before which would not require notice, now will. Take for example the Zappos event announced in January 2012. In a blog entry posted Jan. 15, Zappos explained that a criminal had gained access to certain parts of the network through one of the company’s servers in Kentucky, the data breach resulted in unauthorized access to customer account information including: names, e-mail addresses, billing and shipping addresses, phone numbers, the last four digits of credit card numbers and/or the cryptographically scrambled passwords (but not the actual passwords). None of the above information would have required notice under the old version of the California statute. Under the amended regime, the question is a closer call. More care will need to be taken to address the critical question of whether notice is required.
Likewise, many commentators criticized Zappos for terminating customer’s password access. For example John D’Arcy, assistant professor of information technology at the University of Notre Dame was quoted saying that “the Zappos response strategy is “‘not a good idea.’” “The Zappos decision to terminate customer password access creates a situation that makes it appear “it’s a panic mode” and would likely create a sense of panic. “Maybe they went overboard,” he says. He says the motivation for the attack is probably to gain information to sell to competitors on the black market. However, phishing attacks to try and steal more customer information are also a possibility. http://www.networkworld.com/news/2012/011712-zappos-data-breach-254971.html
However, the new legislation adds Section 1798.82(d)(4), seems to not only encourage but de facto requires such instructions to consumers as a “good practice.” The amendment indicates how businesses “may comply” with the notification requirements of the statute in cases where “login credentials of an email account” are breached. Where email login information is breached, new Section 1798.82(d)(5) specifically prohibits “providing the security breach notification to that email address.” The new rules state that a company may comply with the notification obligations of the statute “by providing the security breach notification in electronic or other form that directs the person whose personal information has been breached promptly to change his or her password and security question or answer, as applicable, or to take other steps appropriate to protect the online account with the person or business and all other online accounts for which the person whose personal information has been breached uses the same user name or email address and password or security question or answer.”
In the case of breaches involving Online Account Data that contains “login credentials of an email account furnished by the person or business,” the entity that furnished the login credentials, if breached, “shall not comply with this section by providing the security breach notification to that email address, but may, instead, comply with this section by providing notice by another method described in [the statute for breaches of other personal information] or by clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an Internet Protocol address or online location from which the person or business knows the resident customarily accesses the account.”
So not only has the definition of PII been expanded, but the amendment also increases the complexity of how to communicate the breach and what to include in the communication. Interesting, the notice content part of the amendment provides some insight into the amendment of the definition of PII. The amendment suggest that the company instruct consumers to protect “all other online accounts for which the person whose personal information has been breached uses the same user name or email address and password or security question or answer.” It is well known that consumers reuse user IDs and passwords across multiple accounts, often despite knowing this is a bad security practice. Thus, you will note that unlike other aspects of the definition of PII, the amendment does not limit the access breach to financial, health or other accounts that previously have been considered especially sensitive. Why? Because most consumer reused their passwords and IDS; thus, breaching an ID and password for a Linkin account might in fact give access to a bank account. That said, it also might give access to the email account if the ID is the email address and the consumer uses the same password.
As illustrated above the landscape continues to evolve. Not surprisingly, as with other California amendments, other states will soon follow. This ever increasing complexity requires careful attention both before and after an event occurs. Indeed, California is taking the lead yet again, moving one step closer towards amending its Constitution to create a presumption of harm whenever personal data is shared without a consumer’s express opt-in. Such a change that would clear a significant hurdle to many privacy breach lawsuits increasing the risks. Being prepared and employing the right resources could make a critical difference.