Topic > California SB 1386 - 1155

On July 1, 2003, California enacted an electronic data privacy law to protect residents from one of the fastest growing crimes: identity theft. SB 1386 (Civil Code 1798.29) requires businesses to notify California residents if a security breach results in the disclosure of personal electronic information. All businesses are subject to this law regardless of size, location, or operations. Business owners should be aware of the problems associated with identity theft, the steps needed to comply with SB 1386, and the preventative measures available. Identity theft is a significant problem for both citizens and financial institutions. The FTC estimates that more than 27.3 million Americans have been victims of identity theft in the past five years. The US financial impact is staggering; In 2002 alone, losses were estimated at $48 billion for financial institutions and $5 billion for victims. The FTC examined trends in 214,905 cases reported in 2003, and California accounted for the largest number of incidents (39,452). In 20% of cases, the source of the information breach involved disclosure of personal data over the Internet or other electronic sources. In 55% of cases, identity theft resulted in credit card, bank or loan fraud. Federal and state laws address this growing problem. The FTC provides some protection by aggressively enforcing existing federal laws. Under the Unfair and Deceptive Trade Practices Act, a website operator must adhere to the company's privacy policy or be prosecuted for failing to exercise a reasonable standard of care. Reasonable care includes addressing potential system vulnerabilities such as viruses and encrypting your personal information so it cannot be viewed. The FTC recently ordered several large companies to implement tougher privacy controls after breaches exposed personal data. In January 2001, Eli Lilly settled with the FTC after accidentally leaking the email addresses of nearly 700 consumers using the company's Prozac antidepressant. . Seven months later, Microsoft came under fire from the FTC for misrepresenting the security of its “Passport Wallet” web service. Most recently, in April 2004, Tower Records was accused of permitting and failing to correct a breach that disclosed consumer information, including names, billing and shipping addresses, e-mail addresses, telephone numbers and... . half of paper... .... 2003. http://www.consumer.gov/idtheft/IDT_CY03/California%20CY2003.pdf January 18, 2002, "Eli Lilly Settles FTC Charges Alleging Security Violations." http://www.ftc.gov/opa/2002/01/elililly.htm August 8, 2002, “Microsoft Settles FTC Charges Alleging False Promises of Security and Privacy.” http://www.ftc.gov/opa/2002/08/microsoft.htm April 21, 2004, “Tower Records Settles FTC Charges.” http://www.ftc.gov/opa/2004/04/towerrecords.htmArticles: Cheryl A. Falvey, “Disclosure of Security Breaches Required by New California Privacy Legislation.” http://library.lp.findlaw.com/articles/file/00008/009186/title/Subject/topic/Antitrust%20and%20Trade%20Regulation_Unfair%20Trade%20Practices/filename/antitrustandtraderegulation_2_237Whole Security, “Facts on Identity Theft.” http://www.wholesecurity.com/threat/identity_theft.html Auxillium West, “California SB 1386 – Personal Information: Privacy.” http://www.auxillium.com/californiaSB1386.shtml StrongAuth, Inc., “California's SB 1386 – Frequently Asked Questions.” http://www.strongauth.com/regulations/sb1386/sb1386FAQ.html Legislation: