SB1386 effective July 1, 2003 | Data Security Law| 6.03
Theft of computerized personal information will
trigger new notice obligations for employers
conducting business in California
By Nancy L. Ober and Dylan W. Wiseman , June 2003
Effective July 1, 2003, a data security law intended to combat identity theft will impose new
notice obligations and liability exposure on California employers who store personal
information about employees or customers in computer databases. Last year hackers accessed
the state controller’s payroll database containing personal and financial information about
thousands of employees, including state legislators. The breach went unreported for several
weeks after it was detected. SB 1386 followed.
PROTECTION OF PERSONAL INFORMATION
SB 1386 requires any person or business that conducts business in California, as well as any
state agency, to notify any California resident whose unencrypted personal information was, or
is reasonably believed to have been, acquired by an unauthorized person. “Personal
information” means an individual’s name and one or more of the individual’s (1) social security
number; (2) driver’s license or California identification card number, or (3) account number,
credit or debit card number, in combination with any required security code, access code or
password that would permit access to the individual’s financial account.
NOTICE OBLIGATION UPON SECURITY BREACH
The notice obligation is triggered when the owner or licensee of computerized data discovers or
is notified of a security breach. A security breach occurs upon unauthorized acquisition of
computerized data that compromises the security, confidentiality or integrity of personal
information. Good faith acquisition of personal information by an employee or agent of the
business for the purposes of the business is not a security breach, provided that the employee or
agent does not use or make further unauthorized disclosure of such information.
TIMING OF NOTICE
The owner