The exchange of cash for payment for a goods or services is rare these days. We have certainly become a digital society. Business make advances daily to make transactions more efficient and convenient. However, businesses engaging in e-commerce must not compromise security for expediency. Additionally, businesses store infinite amounts of personal data about their customers. These businesses, such as health care providers and health insurance companies, not only must safeguard their electronic transactions but must also secure sensitive information and proactively combat data breaches. Failure to do so can lead to a huge economic loss for the customers and the company. The savvy business attorneys at Structure Law Group, LLP advise businesses on the best practices to prevent data breaches and counsel them on the necessary steps to take if such an unfortunate event occurs.
In California, people have a constitutional right to the safety and integrity of their personal information. California’s information security act defines personal information as any information that could identify or describe a person. Personal information is also an individual’s name, address, social security number, license number, medical information, and the like. A business in possession of such information must take reasonable steps to prevent disclosure of private information. California law obligates businesses to implement security measures reasonably designed to protect the integrity of the private information. Every business entity, from a sole proprietorship to a multi-national corporation is subject to the information security act.
California law broadly defines “data breach.” Data breach includes any “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.” The information may be used in good faith for the benefit of the person whose information is disclosed, provided that such disclosure is authorized.
California business must act expediently when a data breach of unencrypted information occurs. The business must disclose the details of the breach “without unreasonable delay.” The business must notify their customers, and law enforcement if necessary, in writing about the breach. The notice must include plain statements about what happened, the nature of the information compromised, the efforts the company has undertaken to repair the problem, and provide an 800 number which consumers can call for further information. The information must be no smaller than 10-point type and include clear and unambiguous language. If the company was the source of the breach, then the company must offer “identity theft and mitigation services” free of charge for at least 12 months.
Consumers have recourse against the company for failure to protect private information. California law prohibits waiver of the rights granted to individuals from unauthorized disclosure of private information. The injured person may sue the company for damages under a negligence theory. Those damages would cover the actual loss as well as incidental damages caused by the data breach. However, if the injured party proves that the company acted wilfully, maliciously, or recklessly, then the consumer is entitled to a $3,000 penalty per violation. If the action is based upon mere negligence, then the party may recover a $500 penalty. Also, the company is liable for damages for failing to comply with the notice provisions of the law. The injured party can recover reasonable attorney’s fees and costs in addition to damages and the civil penalty.
The experienced and dedicated Silicon Valley business attorneys at Structure Law Group, LLP can help protect your business from data breaches and the fallout if a breach happens. Call Structure Law Group today at 408-441-7500 to learn how they can help protect your business.