"New Identity Theft Law," National Law Journal

June 16, 2003

A new California statute designed to protect the public from identity theft and scheduled to become effective on July 1 promises to have a profound effect on how major corporations both in and out of California will protect their valuable computer data and trade secrets. This new law, California Civil Code § 1798.82, et. seq., requires any business or person who "maintains computerized data that includes personal information that the person or business does not own...[to] notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person." § 1798.82(b).

The statute’s purpose is to provide sufficient notice to individuals whose personal information has been stolen so that they can prevent the information from being used by thieves to assume their identities for the purpose of stealing their bank funds or buying merchandise with their stolen credit card or debit card information.

In enacting this statute, the California Legislature recognized that "[i]dentity theft is one of the fastest growing crimes committed in California" and that "[c]riminals who steal personal information such as social security numbers use the information to open credit card accounts, write bad checks, buy cars, and commit other financial crimes with other people’s identities."

Thus, the statute covers private information, such as a Social Security number, driver’s license number or a credit or debit card number. While the statute expressly exempts "publicly available information that is lawfully made available to the general public from federal, state or local government records," the number of businesses that maintain simply an individual’s Social Security number is likely staggering. For example, every employee record contains the employee’s Social Security number, and banks and insurance companies use Social Security numbers to identify and keep track of their customers. And employers whose employees travel keep driver’s license numbers for insurance purposes.

Applies to any company doing business in California

The reach of this statute is expanded by its explicit application not just to businesses located in California, but to any business "that conducts business in California." § 1798.82(a). The statute also expressly provides that failure to provide the notice required by the law can result in damage suits by "any customer injured" (which could also include class actions) and injunctive relief. § 1798.82(a)(b)(c). In addition, U.S. Senator Dianne Feinstein, D-Calif., is sponsoring a bill in Congress to make this California statute national law.

Even though this statute will provide a powerful incentive for companies to protect a relatively narrow segment of the valuable computer data maintained on their computer networks, a savvy company will extend the same protections to all valuable company computer data. More than 90% of information created today by corporations is maintained in electronic form. See findings of a study at the University of California at Berkeley, Peter Lyman and Hal R. Varian, "How Much Information?" at www.sims. berkeley.edu/research/ projects/how-much-info.

Protecting traditional types of confidential data as well

For that reason, the types of information that should be protected simultaneously with the personal information covered by the California statute are the traditional types of trade secret and confidential and proprietary information such as marketing plans and strategies, customer information, acquisition strategies, product plans and manufacturing processes. The marginal cost of broadening the scope of protection to all such valuable computer data, if not de minimus, is clearly worth the extra cost. There are several ways to accomplish this protection, while at the same time meeting the new obligations posed by this new California statute.

First, the simplest way to avoid liability under the statute and protect all of the com-pany’s computer data is simply to encrypt it, scrambling the data systematically and permitting it to be opened strictly through a password. The new statute applies only to "unencrypted personal information." This raises the question of whether the statute covers an insider thief who removes the encrypted data and then opens the encryption to obtain the personal information to commit identity theft. While the statute does not appear to apply once the personal data is encrypted, the ultimate protection is to use an encryption software that not only encrypts the data in the network but maintains that encryption on the data once it leaves the network, thereby minimizing the ability of both outsiders and insiders to break the code.

Second, computer data can be protected by limiting access to those with a need to use the particular data in the course of their job duties. As mentioned above, the California statute covers the "unauthorized" taking of the computer data but does not define what is "unauthorized." The federal Computer Fraud and Abuse Act (CFAA), which makes it a crime to, among other things, steal computer data and provides for a civil cause of action for those damaged by the theft, is similarly predicated on the "unauthorized" computer access. 18 U.S.C. 1030.

Under the CFAA, the courts have interpreted "unauthorized" in its commonly understood meaning to be access to data to which one is not entitled. Like the California statute, the federal courts have held an employee’s actions to be "unauthorized" under the CFAA when the employee is not acting in "good faith" and has accessed the data for the purpose of competing against his or her employer. See, e.g., Shurgard Storage Centers v. Safeguard Self Storage, 119 F. Supp. 2d 1121 (W.D. Wash. 2000). The federal courts have also found access to be "unauthorized" when rules established by the employer or owner of the computer data have been violated. US Greenfiber v. Brooks, No. Civ. A. 02-2215, 2002 WL 31834009, at *3 (W.D. La. Oct. 25, 2002)

Access can be regulated on a ‘need to know’ basis

In addition to company policies, authorization can also be enforced on the actual accessed data by configuring the computer network in such a way as to provide access only to certain data on a "need to know" basis. Such access can be regulated through passwords or though policy-enforcement software that regulates who in the company can access particular data based on the scope of an individual’s job.

Establishing such authorizations in the computer network and promulgating company rules as to which employees are authorized or not authorized to access specified computer data not only helps in complying with the new California statute, it also facilitates the company’s ability to take advantage of both the civil and criminal remedies provided by the CFAA if data are stolen. Most significantly, the CFAA allows a company victimized by the theft of computer data or other violations of the CFAA to seek injunctive relief from the courts to obtain the return of the stolen data and to prevent the stolen data from being used in competition.

Third, computer data can be protected by training the entire work force from top to bottom on the importance of its protection and the need for the immediate reporting of thefts. A natural result of the California act will be employers training employees to be vigilant for thefts of personal data so that required notices can be provided. Employee training will be necessary for no other reason than to avoid punitive damages under the act so that a company can show that it alerted its employees to the company’s responsibilities under the act. There is, however, no sound reason not to train employees at the same time about the need to protect all of the com-pany’s computer data.

Software can track data in and outside a network

Fourth, computer data can be protected by using software that tracks the flow of data inside and outside of the network. Under the California statute, the company must form a belief that the personal data have been acquired by an unauthorized person. A company is not going to want to give notice, particularly to customers, when in fact there is no theft of personal information. The problem with many companywide networks is that they detect an intrusion into the system but do not necessarily establish whether data have been copied from the network. There is commercial software that can definitively answer that question, and obviously if it is installed on the network to track personal information, there is no reason not to use it to track all of the company’s valuable computer data. The tracking of data in and outside of the network will also provide the necessary admissible evidence of data thefts to prove violations of the CFAA.

Finally, all of these actions to protect computer data will strengthen a com-pany’s ability to take advantage of the civil remedies provided under state trade secret laws and enable it to report to the FBI violators who can be criminally prosecuted under the federal Economic Espionage Act, which makes it a crime to steal trade secrets. 18 U.S.C. 1831, et. seq.

Both of these state and federal statutes require a showing that the company took reasonable steps to protect its trade secret information. Encrypting data, limiting data on a "need to know" basis, training the work force on the importance of protecting the data, tracking the data inside the network and being able to prove whether it leaves the network’s firewall are all reasonable steps that will enhance the protection of the com-pany’s trade secret information.