One of the major justifications small business owners have for not protecting their information more carefully is “who would want our information? We’re just a small firm that doesn’t handle anything important for anybody.” A recent security breach reveals the risks. A small software service that provides back-end software solutions for car-hire services had its data hijacked . The data included credit card numbers, pick-up and drop-off information, and client names. While actor Tom Hanks is described as a “VVIP” client (hardly surprising), others had data about their preferences, included those who smoked marijuana or had sex in the car. If you are a flower shop, it may not seem important, but if a nearby resident is repeatedly sending flowers to someone not his or her spouse, or sending “Sorry, I screwed up” bouquets to the spouse, that may become sought-after information if the resident becomes notorious later.
Starting next year, companies that have had compromised data relating to consumer user names and passwords will have to inform all its California customers of the data compromise. Senate Bill 46 was signed by Governor Brown in September, and will be effective as of January 1, 2014. Designed to minimize the effects of identity theft, the new notification requirements will give California consumers the chance to minimize the effects of the data compromise – and thereby reduce the potential liability for the website. However, there are real dangers lurking for the companies charged with protecting the information. Enacted as amendments to California Civil Code §1798.29, it will require that every California resident whose data is subject to a security breach be notified “in the most expedient time possible and without unreasonable delay.” Written in plain English, the notice of the security breach is supposed to inform the California resident:
- • of the type of the personal information that was subject to the breach,
- • when the breach occurred and similar information,
- • of the contact information for the leading credit reporting agencies,
- • if a social security or driver’s license number were subject to the breach, as well as
- • other possible ways of protecting from the consequences of the breach.
Data protected is far more than user names and passwords; they also include medical and insurance information, account numbers, and credit or debit card numbers. Notice also that while California residents are protected, it does not limit those required to give notice to California companies. Every website is covered, regardless of its location.
What to Do. If your company suffers a data security breach, avoid the temptation to hide it unless law enforcement specifically asks you to do so (there is a law enforcement exemption to the notice requirements). As soon as reasonably possible, notify everyone involved as soon as possible in a way that complies with the law (electronic notice is allowed). Do so for everyone, both California and non-California residents. The stick here is that failure to provide timely notification can make the company liable for millions of dollars in damages. This law is a true Trojan horse that requires the strictest care. If customers suffer an identity theft and did not get timely notice, this statute will likely allow them to seek damages against you. This could get very expensive, very quickly. Check with your insurance agent to see whether your general liability insurance can provide any protection. If (or when) it does, make sure there is sufficient protection – a $10,000 limit may not cover much. In the meantime, check with your IT people to make sure there are several layers of security for information that could cost you. It took a lot of trickery, and a wooden horse, to conquer the riches of Troy. To steal a fantastical amount of money 50 years ago meant burrowing into a bank vault. These days, untold riches can result from letting computers tap into accounts, while the felon is playing Angry Birds or Candy Crush Saga. Companies are now on the hook for the consequences of a successful data breach.