From November 27, through December 15, 2013, hackers stole credit card numbers and encrypted debit card PIN data from as many as 40 million credit and debit cards swiped at Target. The security breach was the second-largest data breach in United States retail history. According to Target, it “alerted authorities and financial institutions immediately after it was made aware of the unauthorized access, and is putting all appropriate resources behind these efforts. Among other actions, Target is partnering with a leading third-party forensics firm to conduct a thorough investigation of the incident.” In a letter to customers, Target warned that customer names, credit and/or debit card numbers, expiration dates, and the CVV (security codes) were stolen. Target is facing significant financial ramifications including legal costs as well as owing money to the credit card companies that must reimburse their customers. Target also faces significant damage to its reputation.
Several months ago, Forbes magazine reported on class action lawsuits over the failure of businesses to secure consumers’ personal data, such as what occurred in the Target breach. While the filing of such cases may become the trend, it does not appear that they will be successful as recent cases have been dismissed for failure to prove standing. The judges in those cases have specifically ruled that the possibility of future injury in the form of an increased risk of identity theft, is insufficient to establish a present injury, and thus, plaintiffs do not have standing.
Interestingly, just two months before the Target data breach, California Governor Jerry Brown signed into law an amendment to California’s Security Breach Notification Act. According to Forbes, the new law requires “consumer notification if ‘a user name or email address, in combination with a password or security question and answer that would permit access to an online account’ was compromised. The law applies even if that information is not combined with a name, and applies to all types of online accounts.”
The new law amends California’s existing data breach notification law, which has been in effect since July 1, 2003. That law requires businesses and government agencies to notify consumers when a security breach occurs, involving an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) social security number; (2) driver’s license number or California ID card number; (3) bank account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to the individual’s financial accounts; (4) medical information; (5) health insurance information. The new law went into effect yesterday, January 1, 2014, and it should not be overlooked by California businesses, big and small.
California businesses that collect and store the data and personal information of California resident consumers/customers should familiarize themselves with the new law, and examine their existing data security measures and response plans in order to ensure compliance with the new law in the event of a future security breach like the one the befell Target. Even though you and your business may not need to worry about lawsuits alleging violations of the data breach laws, compromising the personal and financial information of your California customers is a sure way to lose their trust and patronage. If you have questions about how the new law affects you and/or you need assistance complying with the requirements of the new law, an experienced business lawyer can help you. Contact us today.