170 likes | 332 Views
Identity Theft: Addressing the Problem in California. Joanne McNabb, Chief CA Office of Privacy Protection. Outline of Presentation. Office of Privacy Protection CA Law on Notification of Security Breach (SB 1386) CA ID Theft Laws and FACTA . Office of Privacy Protection Mission.
E N D
Identity Theft: Addressing the Problem in California Joanne McNabb, Chief CA Office of Privacy Protection Computers, Freedom and Privacy April 23, 2004
Outline of Presentation • Office of Privacy Protection • CA Law on Notification of Security Breach (SB 1386) • CA ID Theft Laws and FACTA
Office of Privacy Protection Mission • Promote and protect the privacy interests of individuals in a manner consistent with the California Constitution. • Identify consumer privacy problems and facilitate development of fair information practices.
Office of Privacy Protection Functions • Offer assistance to consumers • Provide information & education • Coordinate with law enforcement • Recommend best practices to protect individual privacy
The CA Constitution & Federal Preemption California Constitution, Article 3, § 3.5: An administrative agency…has no power… (c) To declare a statute unenforceable, or to refuse to enforce a statute on the basis that federal law or federal regulations prohibit the enforcement of such statute unless an appellate court has made a determination that the enforcement of such statute is prohibited by federal law or federal regulations.
Blocking of ID theft info in credit files CA Civil Code §§ 1785.16(k), 1785.16.1, 1785.16.3,1785.20.3(b) — FCRA § 605B Victim access to documents on fraudulent accounts CA Penal Code § 530.8 —FCRA § 609(e) Credit card number truncation CA Civil Code § 1747.9 — FCRA § 605(g) Destruction of customer records CA Civil Code § 1798.81 — FCRA § 628 CA Identity Theft & Data Protection Laws in FACTA
Right of victim to get police report CA Penal Code § 530.6 Rights of “criminal ID theft” victim CA Penal Code §§ 530.6-530.7 Right of victim to bring action vs. claimant CA Civil Code § 1798.93 Right of victim to 12 free credit reports in year CA Civil Code § 1785.15.3(b) Right to freeze credit files CA Civil Code § 1785.11.2 et seq. Burden of proof on debt collector in ID theft CA Civil Code § 1788.18 CA Identity Theft Laws Not in FACTA
Ban on public display of SSNs CA Civil Code § 1798.85 et seq. Ban on recording personal info on credit card transactions CA Civil Code § 1747.8 Ban on recording credit card # on checks CA Civil Code § 1725 Limits on use of personal info swiped from DL CA Civil Code § 1798.90 Secure mailing of “convenience checks” CA Financial Code § 22342(d) Requirement to notify of security breach CA Civil Code §§ 1798.29, 1798.82 et seq. CA Data Protection Laws Not in FACTA
Contacts on ID Theft & Security Breaches thru 4/14/04
CA Notice of Security Breach Law • Applies to person, company, state agency • Must notify people “in the most expedient time possible and without unreasonable delay” if personal information is acquired by unauthorized person Civil Code §§ 1798.29, 1798.82 & 1798.84
Notice of Security Breach Law • Applies to unencrypted, computerized data including personal info • Personal info defined: • First name or initial and last name, plus • SSN, • DL#, or • financial account number and any PW. • Time allowed for • internal analysis to determine scope, and • law enforcement investigation
Notice of Security Breach Law • Notice may be: • Written, or • Electronic, or • Substitute if >$250,000 or >500,000 people • Substitute notice must be all of: • Email when agency has addresses • Web site posting • Major statewide media
The Notification Test • Was there a "breach of the security" of the data as defined? • Does the data include “personal information" as defined? • Does that "personal information" relate to a California resident? • Was the "personal information" unencrypted? • Was the "personal information" acquired, or reasonably believed to have been acquired, by an unauthorized person?
Examples of Incidents • Hacking into server containing file w/ names & SSNs • Stolen computers w/ names & SSNs • Documents containing names & SSNs mailed to wrong people • Server hijacked for use as relay to download music or to send spam (server has files with names, SSNs, etc.)
Best Practices Document • “Recommended Practices on Notification of Security Breach Involving Personal Information” • Protection & Prevention • Preparation for Notification • Notification (with sample letters) • Available on Web site on Recommended Practices page
Contact Information Joanne McNabb, Chief 400 R Street, Suite 3080 Sacramento, CA 95814 916-322-4420 joanne_mcnabb@dca.ca.gov www.privacy.ca.gov CFP, April 23, 2004