destroyed, damaged, or otherwise no longer capable of being processed …, or are found to be incomplete or materially inaccurate.” 119
Most recent legislation, however, has focused on the obligation to disclose breaches affecting sensitive personal information. Designed as a way to help protect persons who might be adversely affected by a security breach, these laws seek to impose an obligation similar to the common law “duty to warn” of dangers. Such a duty is often based on the view that a party who has a superior knowledge of a danger of injury or damage to another that is posed by a specific hazard must warn those who lack such knowledge. By requiring notice to persons who may be adversely affected by a security breach (e.g., persons whose compromised personal information may be used to facilitate identity theft), these rules seek to provide such persons with an opportunity to take protective measures.
At the same time, these rules also leverage a very powerful force – the fact that the required disclosures may be embarrassing and serve to publicly highlight a company’s lack of adequate security. Absent a legal requirement, most companies do not publicly disclose information security breaches or contact law enforcement agencies. The annual Computer Security Institute and FBI Computer Crime and Security Survey for 2005,120 for example, reported that only 20 percent of respondents who suffered serious computer security breaches reported the incident to law enforcement. The key reason cited for not reporting intrusions to law enforcement, according to the Report, is the concern for negative publicity. Thus, the fear of adverse publicity arising from the obligation to disclose security breaches may actually incentivize companies to implement better security measures in the first place.
The first law requiring disclosure of security breaches involving personal information was the California Security Breach Information Act (S.B. 1386), which became effective on July 1, 2003.121 That law requires all companies doing business in California to disclose any breach of security that results in an unauthorized person acquiring certain types of personally identifiable information of a California resident. Disclosure must be made to all persons whose personal information was compromised, and anyone who is injured by a company’s failure to do so can sue to recover damages. It is this law that is credited with requiring ChoicePoint (and all of the other companies that followed) to disclose the breaches they suffered in early 2005.
The ChoicePoint incident, and the other corporate breaches that followed, prompted many states to follow California’s lead. Over 60 bills requiring notification of security breaches were quickly introduced in at least 36 states in Spring 2005. By August 2005, at least 20 states had enacted such laws, all essentially based on the California
119 IRS Rev. Proc. 98-25, Section 8.01. The notice must identify the affected records and include a plan that describes how, and in what time frame, the taxpayer proposes to replace or restore the affected records in a way that assures that they will be capable of being processed. Rev. Proc. 98-25, Section 8.02.
Available at www.gocsi.com Cal. Civil Code Section 1798.82. A copy is available at www.leginfo.ca.gov/calaw.html.