California law covers online trade

US citizens can sue over personal data security.

US citizens can sue over personal data security.

Online traders should be aware of SB 1386 (now enacted as Section 1798.82 of the California Civil Code). It is an important piece of IT security legislation.

It came into force on 1 July and will affect any person or business conducting business in California and holding unencrypted personal information (for example, credit card details) relating to California residents.

"Any person or business" is a broad definition. Online traders will certainly be affected but it is not difficult to think of others, for example those in the financial or leisure and travel industries.

What is SB1386?

The law places an obligation on companies that discover or receive notification of a security breach, to promptly disclose the breach to all California residents whose data has or is reasonably believed to have been acquired by an unauthorised person.

SB 1386 applies irrespective of the location of the data or whether the "person or business" has offices in California.

It specifically applies to companies that host or run outsourced operations on behalf of another: they are under an obligation to notify the owners or licensees of the data that there has been a breach. For example, it would apply to companies running outsourced operations for online merchants.

Who can sue?

A civil right to bring legal action is conferred and appears to contemplate situations where individuals or classes of people suffer loss and damage in circumstances where a notification was not issued as required under the legislation, or was not issued soon enough after the security breach was discovered.

The law follows the significant increase in the number of identity thefts and security breaches in California in recent years, notably the hackers who broke into the payroll database for the State of California and gained access to personal information on 265,000 state employees. This event was exacerbated by the failure of the state to notify employees for more than two weeks after the breach was discovered.

What is its impact?

The main risk associated with SB 1386 is that litigation could arise in the event of a failure to notify a breach which results in loss and damage to California residents. Given the general approach by the US courts there must be a risk of an increased award of damages if businesses deliberately conceal security breaches or fail to notify, which some may be tempted to do in order to protect their brand or avoid a public outcry.

For UK companies with no place of business in the US the risk of being sued may be lower, owing to the practical and legal obstacles to bringing (and enforcing) a cross-border action of this type. Those with a physical US presence may be more vulnerable, particularly if they are based in California or if federal legislation follows.

The first practical step to take will be to work out whether SB 1386 applies to you, in the light of the particular circumstances of your business. If it does you should get an assessment of the legal risks. If those risks are high you should look at your systems and work out whether security needs to be increased.

One area that should be looked at in particular is encryption. The legislation does not apply to personal data that is encrypted. Third-party commercial relationships and their approach to the issue - such as suppliers involved in handling credit card details on your behalf - should also be looked at.

Whether the Californian legislation will be replicated across the US and into the European Union and the UK remains to be seen.

Security breaches will undoubtedly continue to occur and if legislators sense that companies are covering them up or notify late, causing loss and damage to those affected, it may only be a matter of time before EU and UK legislators act.

Mike Bywell and Katherine Hill are members of the technology, media and communications group at law firm DLA

Read more on IT risk management