California Business Privacy Primer
Download
Report
Transcript California Business Privacy Primer
Identity Theft:
Addressing the
Problem in California
Joanne McNabb, Chief
CA Office of Privacy
Protection
Computers, Freedom and Privacy
April 23, 2004
Outline of Presentation
Office of Privacy Protection
CA Law on Notification of Security
Breach (SB 1386)
CA ID Theft Laws and FACTA
2
Office of Privacy Protection
Mission
Promote and protect the privacy
interests of individuals in a manner
consistent with the California
Constitution.
Identify consumer privacy problems
and facilitate development of fair
information practices.
3
Office of Privacy Protection
Functions
Offer assistance to consumers
Provide information & education
Coordinate with law enforcement
Recommend best practices to
protect individual privacy
4
ic
al
2%
M
ed
5%
O
PP
ac
y
al
Pr
iv
ic
ite
d
l
5%
er
U
ns
ol
ci
a
an
6%
G
en
O
th
er
g
tin
s
10%
Fi
n
ke
ic
e
20%
m
ar
Pr
ac
t
t
ef
Th
70%
Te
le
ac
y
Pr
iv
ID
Why People Contact OPP
69%
60%
50%
40%
30%
12%
2%
1%
0%
5
The CA Constitution &
Federal Preemption
California Constitution, Article 3, § 3.5:
An administrative agency…has no power…
(c) To declare a statute unenforceable, or
to refuse to enforce a statute on the basis
that federal law or federal regulations
prohibit the enforcement of such statute
unless an appellate court has made a
determination that the enforcement of
such statute is prohibited by federal law
or federal regulations.
6
CA Identity Theft & Data
Protection Laws in FACTA
Blocking of ID
theft info in credit
files
CA Civil Code §§ 1785.16(k),
1785.16.1,
1785.16.3,1785.20.3(b) —
FCRA § 605B
Victim access to
documents on
fraudulent
accounts
Credit card
number truncation
CA Civil Code § 1747.9 —
FCRA § 605(g)
Destruction of
customer records
CA Civil Code § 1798.81 —
FCRA § 628
CA Penal Code § 530.8 —
FCRA § 609(e)
7
CA Identity Theft Laws Not in
FACTA
Right of victim to get
police report
CA Penal Code § 530.6
Rights of “criminal ID
theft” victim
CA Civil Code § 1798.93
Right of victim to 12
free credit reports in
year
CA Penal Code §§ 530.6530.7
Right of victim to
bring action vs.
claimant
Right to freeze credit
files
CA Civil Code § 1785.15.3(b)
CA Civil Code § 1785.11.2 et
seq.
Burden of proof on
debt collector in ID
theft
CA Civil Code § 1788.18
8
CA Data Protection Laws
Not in FACTA
Ban on public display
of SSNs
CA Civil Code § 1798.85 et
seq.
Ban on recording
personal info on credit
card transactions
CA Civil Code § 1725
Limits on use of
personal info swiped
from DL
CA Civil Code § 1747.8
Ban on recording
credit card # on
checks
Secure mailing of
“convenience checks”
CA Civil Code § 1798.90
CA Financial Code § 22342(d)
Requirement to notify
of security breach
CA Civil Code §§ 1798.29,
1798.82 et seq.
9
Contacts on ID Theft &
Security Breaches
3,500
3,054
3,000
2,500
2,000
1,500
836
1,000
345
500
0
FY 03/04
thru 4/14/04
FY 02/03
FY 01/02
10
CA Notice of Security
Breach Law
Applies to person, company, state
agency
Must notify people “in the most
expedient time possible and without
unreasonable delay” if personal
information is acquired by
unauthorized person
Civil Code §§ 1798.29, 1798.82 & 1798.84
11
Notice of Security Breach
Law
Applies to unencrypted, computerized
data including personal info
Personal info defined:
First name or initial and last name, plus
• SSN,
• DL#, or
• financial account number and any PW.
Time allowed for
internal analysis to determine scope, and
law enforcement investigation
12
Notice of Security Breach
Law
Notice may be:
Written, or
Electronic, or
Substitute if >$250,000 or
>500,000 people
Substitute notice must be all of:
Email when agency has addresses
Web site posting
Major statewide media
13
The Notification Test
1.
2.
3.
4.
5.
Was there a "breach of the security" of
the data as defined?
Does the data include “personal
information" as defined?
Does that "personal information" relate
to a California resident?
Was the "personal information"
unencrypted?
Was the "personal information" acquired,
or reasonably believed to have been
acquired, by an unauthorized person?
14
Examples of Incidents
Hacking into server containing file w/
names & SSNs
Stolen computers w/ names & SSNs
Documents containing names & SSNs
mailed to wrong people
Server hijacked for use as relay to
download music or to send spam (server
has files with names, SSNs, etc.)
15
Best Practices Document
“Recommended Practices on
Notification of Security Breach
Involving Personal Information”
Protection & Prevention
Preparation for Notification
Notification (with sample letters)
Available on Web site on
Recommended Practices page
16
Contact Information
Joanne McNabb, Chief
400 R Street, Suite 3080
Sacramento, CA 95814
916-322-4420
[email protected]
www.privacy.ca.gov
CFP, April 23, 2004