Computer technology and the internet have created countless opportunities for both businesses and consumers. As more and more commercial activity moves online, however, the risks to the integrity of a company’s digital records grow greater. Cybersecurity breaches threaten not only the company’s assets but also stored customer information. Consumer information is often the target of hackers because it may enable further fraudulent activities like identity theft. Companies that collect and store personal information have a duty under California law to protect that information and to notify consumers in the event of a breach. Penalties for noncompliance may include civil liability to consumers and state or federal regulatory actions. Northern California business owners that deal with digital consumer information should make cybersecurity a critical part of their business operations.California’s Breach Notification Law (BNL) defines “personal information” as any information that “is capable of being associated with a particular individual,” such as a name, address, date of birth, and social security number or other identification number. Cal. Civ. Code § 1798.80(e). Businesses must “implement and maintain reasonable security procedures and practices” to safeguard customers’ personal information from cybersecurity breaches. Id. at § 1798.81.5(b).
If a breach occurs, the BNL requires businesses to notify individuals who were affected by the breach “in the most expedient time possible and without unreasonable delay.” Id. at § 1798.82(a). If a business intentionally shares customer information, such as for marketing purposes, California’s “Shine the Light” (STL) law requires it to make certain disclosures to customers in advance and to disclose, upon a customer’s request, which information was shared and with whom. Id. at § 1798.83.
Any contractual provision that waives an obligation under the BNL is considered “void and unenforceable.” Id. at § 1798.84(a). Customers may file civil actions for injuries sustained due to violations of any of the provisions of the BNL. Violations of the STL law that are found to be “willful, intentional, or reckless” may result in civil penalties. Id. at § 1798.94(c). Businesses may also be subject to injunctions to prevent further violations.