Published on:

Cybersecurity Obligations of California Businesses

Computer technology and the internet have created countless opportunities for both businesses and consumers. As more and more commercial activity moves online, however, the risks to the integrity of a company’s digital records grow greater. Cybersecurity breaches threaten not only the company’s assets but also stored customer information. Consumer information is often the target of hackers because it may enable further fraudulent activities like identity theft. Companies that collect and store personal information have a duty under California law to protect that information and to notify consumers in the event of a breach. Penalties for noncompliance may include civil liability to consumers and state or federal regulatory actions. Northern California business owners that deal with digital consumer information should make cybersecurity a critical part of their business operations.California’s Breach Notification Law (BNL) defines “personal information” as any information that “is capable of being associated with a particular individual,” such as a name, address, date of birth, and social security number or other identification number. Cal. Civ. Code § 1798.80(e). Businesses must “implement and maintain reasonable security procedures and practices” to safeguard customers’ personal information from cybersecurity breaches. Id. at § 1798.81.5(b).

If a breach occurs, the BNL requires businesses to notify individuals who were affected by the breach “in the most expedient time possible and without unreasonable delay.” Id. at § 1798.82(a). If a business intentionally shares customer information, such as for marketing purposes, California’s “Shine the Light” (STL) law requires it to make certain disclosures to customers in advance and to disclose, upon a customer’s request, which information was shared and with whom. Id. at § 1798.83.

Any contractual provision that waives an obligation under the BNL is considered “void and unenforceable.” Id. at § 1798.84(a). Customers may file civil actions for injuries sustained due to violations of any of the provisions of the BNL. Violations of the STL law that are found to be “willful, intentional, or reckless” may result in civil penalties. Id. at § 1798.94(c). Businesses may also be subject to injunctions to prevent further violations.

A few recent court decisions offer an idea of how these laws can affect businesses:

– A federal court in San Jose allowed a class action claim under the BNA to proceed with regard to allegations of “failure to maintain ‘reasonable’ security measures” under § 1798.81.5, but the court dismissed the plaintiffs’ failure to notify claims under § 1798.82. In re Adobe Systems, Inc. Privacy Litigation, 66 F. Supp. 3d 1197, 1217 (N.D. Cal. 2014).
– A San Diego federal court allowed a class action failure to notify claim to proceed. In re Sony Gaming Networks and Customer Data Security Breach Litigation, 996 F.Supp.2d 942 (S.D. Cal. 2014).
– A San Francisco court dismissed a BNL claim for lack of standing, finding no “causal connection between [the defendant’s] conduct” and the plaintiff’s injuries. Antman v. Uber Technologies, No. 3:15-cv-01175, order at 17 (N.D. Cal., Oct. 19, 2015).
– A California appellate court ruled that delinquency on a loan was not the type of “personal information” protected by the BNL. Jacks v. Crawford Inv. Co., No. E052650, slip op. (Cal. App. 4th, May 24, 2012).

For more than 40 years, Cirrus Law PC has advocated for the interests and rights of Bay Area businesses and business owners in litigation and transactional matters. Contact us today online or at (925) 463-1073 to schedule an initial confidential consultation to see how we can assist you.

More Blog Posts:

Why Businesses Should Resist Any Temptation to Create Fake Online Reviews, Pleasanton Business & Commercial Law Blog, August 29, 2014

Ninth Circuit Rules in Favor of Video-Rental Company in Lawsuit Alleging Violations of California Privacy Law, Pleasanton Business & Commercial Law Blog, July 31, 2014

Liability for Cybersecurity Breaches Still Uncertain for Many Businesses, Pleasanton Business & Commercial Law Blog, June 30, 2014


Contact Information