Your Business Risk Under the New California Database Breach Act

Companies doing business online just became a lot more vulnerable. In September, amendments were made to the California Database Breach Act (SB 1386) through Senate Bill 46, which expanded the definition of what constitutes compromised personal information to include “a user name or email address, in combination with a password or security question and answer that would permit access to an online account.”

What that means for any business that collects this type of information is that it’s now liable to comply with the strict guidelines under the California Database Breach Act, including how the business notifies consumers about a data breach.

And this applies to companies outside of California, too – because if you’re doing business online, you need to assume there’s a potential consumer in every state.  Now, businesses need to evaluate how they’re protecting what is likely the most common data website visitors give today: user name and password combinations.

SB 46: What It Changed and How It Can Affect Your Business

Proponents of SB 46 successfully argued that in today’s world, simple data such as username and password can lead to a more serious data breach. Because people often use the same combination of user names, passwords, security questions and email addresses for multiple accounts online, seemingly harmless credentials for one website could lead to fraud on other websites, bank account access and potentially, identity theft.

Companies that have been doing business online and collecting a person’s name, credit or debit cards, social security number, driver’s license or medical health information were accustomed to the existing data breach notification requirements.

What SB 46 did was institute the same obligations for websites that may only be storing email addresses and security questions. This can affect businesses that may simply have a membership aspect to their website, requiring a user to log in to gain access to content.

That means it’s not just big ecommerce sites that are at risk for non-compliance. Smaller businesses with perhaps more modest websites and earnings are now open to the threat of data breaches and potential lawsuits.

And what’s perhaps most concerning is the fact that large companies with rigorous security measures routinely face data breaches. Take some of the more high-profile examples like LinkedIn, Sony and Adobe – not to mention the endless list of security breaches reported each month to the California Attorney General. These data breaches cost businesses millions of dollars each year.

While hacking may be the most common form of data breach, businesses are also liable if an electronic device belonging to an employee has been stolen and contains sensitive information – so think laptops, tablets and smartphones.

How to Prepare for a Data Breach

At Woodruff Sawyer, we advise our clients to have a data breach response plan in place even if they’ve never had a breach. That means knowing exactly whom you’ll consult with, what you’ll do to remedy the issue and how you’ll communicate the problem if a breach occurs.

First, perform a risk assessment of your company’s practices, starting with the following questions:

• What is the most likely source of a cyber-threat for us – is it a competitor, rogue employee or criminal individual?
• Who is responsible for cyber security at the company?
• Has a cyber risk assessment ever been done? Who did it?
• What kind of data do we collect? How long do we store it?
• Where is our data physically located?
• What data cannot be restored once taken?
• What data can take longer to recover?
• What training do we currently provide our employees on password management, public Wi-Fi use and social media participation?

Next, consider a third-party security assessment. Companies that were simply managing login credentials previous to SB 46 probably weren’t as focused on security as a company that was protecting credit card numbers. If that sounds like you, it’s all the more reason to review your current data security measures.

Finally, have a data breach response action plan. This includes lining up:

1. A forensic IT vendor that is ready to go. Have a pre-approved vendor in place that is ready to assess the data breach if  when it occurs. It’s likely you can learn of a data breach on a Friday at 5 p.m., which is not the best time to start interviewing service providers. A neutral third-party assessment to determine what caused the breach and how to handle it is key. Your own IT department might be less inclined to uncover their own mistakes.
2. A legal team in place and a communication plan. Under the California Database Breach Act, any company that has experienced a data breach must follow stringent guidelines on how to communicate that breach to consumers and the attorney general. You’ll need legal counsel during this time on how to best handle it.
3. Cyber insurance. Insurance policies in this space can cover costs incurred during a data breach, including your direct expenses as well as liability to your customers and regulators. Cyber insurance covers fees related to specialized assistance, including legal, IT and communications teams, compensation for credit monitoring or identity theft options you offer consumers, fines levied by regulators for not following the breach laws, fines levied by the Payment Card Industry (PCI), and defense and settlement costs associated with lawsuits.

The bottom line is this: Now that basic login credentials are guarded under the California Database Breach Act, more businesses are exposed to more risk. If you do business online and collect personal information, now is the time to take a serious look at your business’s data encryption, security measures and data breach plan of action before it’s too late.