CIBC & SB136
CIBC is a Canadian bank, who has recently been sued by a West Virginia scrapyard operator for faxing their customer’s private data to him. I’ve blogged about them here and here. (It turns out that other banks are doing the same thing, as David Akin blogs.)
SB 1386 is a California law that requires companies to disclose to their California customers if their private data is compromised.
SB 1386 likely does not apply to CIBC (unless CIBC has Californian customers). But what if it did? (Allow me to remind you that I am not a lawyer.) I’ll pretend that CIBC has Californian customers, and ignore any choice-of-law or international law issues that may apply. I’ll also pretend that social insurance numbers are social security numbers.
The text of SB-1386 is here.
SEC. 2. Section 1798.29 is added to the Civil Code, to read:
1798.29. (a) Any agency that owns or licenses computerized data
that includes personal information shall disclose any breach of the
security of the system following discovery or notification of the
breach in the security of the data to any resident of California
whose unencrypted personal information was, or is reasonably believed
to have been, acquired by an unauthorized person.
(d) For purposes of this section, “breach of the security of the
system” means unauthorized aquisition of computerized data that
compromises the security, confidentiality, or integrity of personal
information maintained by the agency. …
(e) For purposes of this section, “personal information” means an
individual’s first name or first initial and last name in combination
with any one or more of the following data elements, when either the
name or the data elements are not encrypted:
(1) Social security number.
So it seems from reading this that the main points are:
- Do business with Californians
- Maintain computerized data that includes an SSN
- Know about unauthorized aquisition of that data.
I have no idea how important the word computerized is here. In a way, everything seems to hinge on it. But the preamble of the law makes clear that what matters is the disclosure, not its form.
The disclosure of the data in the CIBC case was not computerized. So, under 1798.29.d, CIBC may be able to argue that no breach of the computerized data occurred.
It seems somewhat unlikely that CIBC knows what customers’ data is compromised. As Akin points out, there’s at least one more recipient of the errant faxes. And given the nature of the error (misdialed faxes), there’s probably a lot more than these two. (Why CIBC didn’t have an auto-dial system in place is beyond me…how many places do they need to fax data?) So notifying the correct set of customers would be hard. What if they don’t notify, on my whacky computerization theory? Why, the bill specified a private right of action:
1798.84. (a) Any customer injured by a violation of this title
may institute a civil action to recover damages.
(b) Any business that violates, proposes to violate, or has
violated this title may be enjoined.
The theory behind this is that stopping identity theft requires prompt action, and by not quickly notifying customers, those customers are more likely to suffer more substantial injury. (See the bill, its in section 1, a-e.). I’m not aware of any private action brought under this section, but it seems to me that to show that a theft occurred is easy. To show that it was a result of CIBC’s inaction strikes me as very difficult.
Alternately, those writing new laws could make them more clearly address these sorts of issues. The broad reach of the “California customers” provisions cause all companies to comply with the strictest of these laws.