An Overview of California Identity Theft Laws

1
An Overview of California Identity Theft Laws

• Stephen S. Wu
• InfoSec Law Group, PC
• Electronic Authentication Partnership
• August 2005 Meeting
• San Francisco ? August 11, 2005

2
California Laws Cover

• Authentication
• Information Gathering
• Ensuring Accurate Info
• Safeguards
• Notification
• Criminal Penalties

3
SB 1386

• Civil Code 1798.29, 1798.82, 1798.84
• Requires notification of security breaches
  involving unencrypted personal information
• Obligation to notify the person whose information
  was compromised

4
SB 1386

• Covers state agencies or businesses that conduct
  business in California
• Personal information means last name, first
  initial or name, and either
• Social security number
• Drivers license or Cal. ID card number
• Account no. or card no. in combination with
  password or access code

5
SB 1386

• Notification can be delayed if law enforcement
  determines notice would impede an investigation
• Private right of action for damages
• Statutory authority for injunctions

6
AB 1950 The Basics

• Cal. Civil Code 1798.81.5 added
• Requires businesses to maintain
• reasonable security procedures and practices
• appropriate to the nature of the info
• protect against unauthorized access, destruction,
  use, modification, or disclosure
• bind nonaffiliated third parties

7
AB 1950 Personal Information

• Covers businesses that own or license personal
  information about a Cal. Resident
• Not limited to computerized info
• Personal information is defined as in SB 1386,
  but adds medical information
• But see definition with broader scope of personal
  info 1798.80(e).

8
AB 1950 Exceptions from Coverage

• Exceptions in AB 1950
• Any public information
• HIPAA-covered entities, or those covered by Cal.
  Confidentiality of Medical Information Act
• Financial institutions
• Entities receiving drivers license info under
  contract
• No blanket exception for encryption

9
What has AB 1950 Added?

• Section 1798.84 damages claims now apply to the
  security breach, in addition to the failure to
  notify
• Now the breach will create liability as unlawful
  conduct under other consumer legal remedies
• Waivers are void and unenforceable

10
Other ID Theft-Related Laws
11
Authentication

• Credit card issuers must use activation process
  before a card can be used Civil Code 1747.05
• Verify change of address before issuing credit
  card after previous unsolicited offer Civil
  Code 1747.06
• Notify customer at old address after request for
  new card following change of address Civil Code
  1799.1b

12
Information Gathering

• Merchant cant record credit card number as a
  condition of accepting a check Civil Code 1725,
  1747.8
• Bars and car dealers prohibited from swiping
  drivers license for purposes other than age
  check or authenticity of license Civil Code
  1798.90.1
• Supermarket club card programs cant request SSN
  or drivers license Civil Code 1749.60

13
Ensuring Accurate Info

• Consumer Credit Reporting Agencies Act
• State counterpart to Fair Credit Reporting Act
• Requires free copy of credit report to ID theft
  victims
• Requires security alerts or freezes for consumers
  requesting them
• Civil Code 1785.1-1785.36

14
Safeguards

• In addition to AB 1950
• Credit card number truncation on receipts Civil
  Code 1747.9
• Destruction of sensitive personal information
  Civil Code 1798.81
• Limits on publication of SSNs (various)
• Limits on access to birth and death records
  (Health and Safety Code)

15
Notifications

• SB 1386
• Veterans notified that their discharge papers on
  file with county recorders contain their SSNs
  Government Code 27377

16
Criminal Penalties

• Laws criminalizing ID theft Penal Code
  530.5-530.8
• Conspiracy to commit ID theft Penal Code 182,
  529.7
• Possession or use of card skimmers with intent to
  defraud Penal Code 502.6

17
Other Laws

• State constitutional right to privacy (Art. 1,
  Sec. 1) and right of action for invasion of
  privacy
• Medical information confidentiality laws Civil
  Code 56-56.37
• Spyware law Bus. Prof. Code 22947
• Unfair Competition and False Advertising Laws
  Bus. Prof. Code 17200, 17500
• Consumers Legal Remedies Act Civil Code 1750

18
Questions?
Stephen S. Wu InfoSec Law Group, PC 800 West El
Camino Real Suite 180 Mountain View, CA
94040 www.infoseclaw.com swu_at_infoseclaw.com (650)
917-8045