Guidelines and General Recommendations for California Businesses ... can implement policies, procedures and plans (Best
I’ve been hacked, now what? Guidelines and General Recommendations for California Businesses
I’ve been hacked, now what? Guidelines and General Recommendations for California Businesses
No matter how well your business is prepared, there is always a risk of being hacked or experiencing unintentional information disclosure. While you can’t eliminate all risk, a business can implement policies, procedures and plans (Best Practices) to mitigate potentially disruptive security events. In this whitepaper, we’ll briefly list what to do if your company has been hacked in California (CA). Listed are recommendations made by the California Office of Privacy Protection (c.2012), which include updated definitions of California’s Amended Data Breach Law, CA Civ. Code § 1798.82, effective 1/1/2014. California has four definitions that define at-risk data -- Unencrypted, computerized information, specifically: First name or initial and last name, plus any of the following: Social Security number. Driver’s license number or California Identification Card number. Financial account number, in combination with any required code or password permitting access to an individual’s financial account. Once you have determined your data has been compromised, follow these “Best Practices” guidelines, part of an overall, pre-defined Information Security Plan, as suggested by the California State Attorney General and the California Office of Privacy Protection. Notification: 1. Take necessary steps to contain and control the affected systems. Contact Corporate Legal. 2. Conduct a preliminary investigation and assessment of the breach. 3. If the breach affects over 500 people’s personal information, notify Corporate Legal, who should then notify the CA State Attorney General at: http://oag.ca.gov/ecrime/databreach/reporting. 4. Implement Notification Plan if compromised information contains personal data. 5. Notify law enforcement of suspected illegal activities. 6. Notify affected individuals within 10 days of the event, unless law enforcement directs otherwise. 7. Include notification to individuals whose info is also on paper-records or computer print data. 8. If individuals cannot be ID’d, notify the groups likely to be affected by the breach. 9. Document the ID process, who gets notified and make efforts to find individual addresses. 10. Contact credit reporting agencies using a pre-defined Incident Plan to alert them of breach. 11. If the breach involves consumer information, arrange quality credit-monitoring service for those affected.
Sentek Global
www.sentekglobal.com
619-543-9550
I’ve been hacked, now what? Guidelines and General Recommendations for California Businesses The following standard definitions of “Personal Information” and “Breach of Security” (based on the definition commonly used by most state & federal governments) are defined below for ease of reference, and any CA variations from the common definition are listed in the chart. Medical information is included so as not to detract from the CA statute. Personal Information: An individual’s first name or first initial and last name plus one or more of the following data elements: (i) Social Security number; (ii) driver’s license number or stateissued ID card number; (iii) account number, credit card number or debit card number combined with any security code, access code, PIN or password needed to access an account. Personal Information shall not include information that is lawfully made available to the general public from federal, state or local government records, or widely distributed media. Breach of Security: The unlawful and unauthorized acquisition of personal information that compromises the security, confidentiality or integrity of personal information.
CA statute in which definition of “Personal Information” is broader than the Federal general definition General Breach Notification Statute as applies to a business: “Personal Information” of California residents. In addition: a username or email address, in combination with a password or security question and answer that would permit access to an online account, medical information, or health insurance information. Medical Information Specific Breach Notification Statute: For clinics, health facilities, home health agencies, and hospices licensed pursuant to sections 1204, 1250, 1725, or 1745 of the California Health and Safety Code, the state’s Medical Information Breach Notification Statute may apply. The statute applies to patients’ medical information. “Medical information” means any individually identifiable information in electronic or physical form and in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient's medical history, mental or physical condition, or treatment. "Individually identifiable" means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient's name, address, electronic mail address, telephone number, or Social Security number, or other information that, alone or in combination with other publicly available information, reveals the individual's identity. CA statute that requires Notice to Attorney General or State Agency General Breach Notification Statute: Any person who notifies more than 500 California residents of a single breach must electronically submit a single sample copy of the notification letter to the Attorney General.
Sentek Global
www.sentekglobal.com
619-543-9550
I’ve been hacked, now what? Guidelines and General Recommendations for California Businesses CA statute that requires notification within a specific timeframe (CA – applies to Medical/Protected Health Information -- other than the general business provision that notification must be given in the most expedient time and manner possible and without unreasonable delay, consistent with the legitimate needs of law enforcement). Medical Information Specific Breach Notification Statute: For clinics, health facilities, home health agencies, and hospices licensed pursuant to sections 1204, 1250, 1725, or 1745 of the California Health and Safety Code, the state’s Medical Information Breach Notification statute may apply. The statute requires licensees to notify both affected patients and the California Department of Health Services no later than 5 business days after the unauthorized access, use, or disclosure has been detected by the licensee. CA statute that permits a private Cause of Action Any customer injured by a violation of the General Breach Notification Statute may institute a civil action to recover damages. Any business that violates, proposes to violate, or has violated this title may be enjoined. CA Encryption Safe Harbor Statute Notification under the general breach notification statute only applies where unencrypted personal information was acquired, or is believed to be acquired, by an unauthorized person.
Disclaimer: Please note that the previous summary of CA data breach statutes is not intended to be, and should not be used, as a substitute for reviewing the statutory language, nor does it constitute legal advice. These materials have been prepared solely for the purpose of providing general information about the offerings of Sentek Consulting, Inc. (“Sentek Global”) and do not constitute legal advice or otherwise, nor do these materials create a client relationship. The information contained in the materials is subject to change without notice and may not be accurate, complete or current. Sentek Global disclaims all warranties and will not be liable for any loss that may arise from the use of the information contained in these materials. These materials may not be used or reproduced without the express written consent of Sentek Global.
Sentek Global
www.sentekglobal.com
619-543-9550
