With the arrival of the Internet and sharing of a customer's financial information electronically, a customer's privacy rights to financial information are now at the forefront of legislation passed by the California legislature and being considered at the federal level. Bill SB1386, recently adopted by the California legislature, creates a duty for companies to protect electronic personal information from being disclosed, and requires companies to notify customers when their electronic information has possibly been misused. Violation of SB1386 may be the basis of a lawsuit.
National privacy rights groups are promoting SB1386 as model legislation on the federal level to combat the dramatic rise of the crime identity theft. Criminals use stolen personal financial information to get credit cards and checking accounts in the victim's names. The FTC reports that over nine million Americans were the victims of identity theft last year, costing victims $5 billion and costing businesses approximately $50 billion. The victims spent almost 300 million hours working out the identity theft problems.
Courts are wrestling with the breadth of a customer's privacy rights and duties owed to customers, and much litigation is anticipated over this legislation.
Privacy groups and the press have made privacy rights a high profile topic. Indeed, according to a Wall Street Journal poll, Americans view loss of privacy rights as of great concern. Balancing the breadth of privacy rights and legislation is a difficult task, as information that is protected under privacy legislation means groups are denied access to financial information they believe they have a right.
Compliance with the new privacy legislation may be expensive. Consulting firms now sell privacy audits to businesses to comply with privacy legislation and enforcement. With the arrival of new privacy legislation, it is expected that class action attorneys will gear up with private cause of action claims against business for negligence claims for failure to keep a customer's private financial information secure.
California Privacy Law/SB1386
SB1386 requires a company that does business in California to notify consumers when there may have been unauthorized access to their electronic personal information. SB1386 also requires that safeguards are in place to protect a customer's private information. SB1386 is a California statute that may apply to all states. The law is intended to protect customers from the risk of identity theft through notifying them of misuse of their personal information so they can take steps to protect their assets.
Key Terms of SB1386
* Electronic Credit Department
SB1386 applies to those companies that store personal information on computers.
* What Information Is Covered?
SB1386 covers personal information, which is defined as a person's first and last name, in combination with the Social Security number, credit card number or driver's license number.
* What Is a Security Breach?
SB1386 requires notification upon a security breach. However, the statute does not define what constitutes a security breach. The statute requires notification even where the company only suspects there has been a breach.
* Must a Company Reside in California?
SB1386 applies to companies outside of California that do business within the state. In an extreme example, a company with but a single California customer and no offices, employees or computers within California, may be required to report a breach of security.
SB1386 requires a company give prompt notice to customers after a security breach. Notice may be via e-mail or regular mail. Should a company fail to disclose a security breach, it may be liable even if the customer's personal information is never used. A company is not required to notify law enforcement. …