Cyber-attacks and data breaches have increased in recent years, creating risks for consumers and businesses alike. From 2012 to 2015, the California Office of the Attorney General (“Attorney General”) received reports of 657 data breaches affecting more than 49 million records of California residents. In fact, in 2015 alone, 178 breaches put over 24 million records of Californians at risk—that’s nearly three out of five Californians. The Attorney General’s 2016 California Data Breach Report notes that malware and hacking likely present the greatest risk to organizations and consumers, both in the number of breaches (365, 54%) and the number of records (44.6 million, 90%) breached. It also notes that small businesses appear to be more susceptible to cyber-attacks and experienced physical breaches at a greater rate than larger organizations despite having less data. The most sensitive personal information—social security numbers and medical information—is the target of attacks, rather than other data types.
Initial Planning Necessary—Breaches Will Occur
In addition to a person’s or company’s monetary loss and compromised exposure by data breaches, liability for such losses and damages rests with the company or organization whose system was breached. This means that an organization should have a plan in place that specifies ongoing data security measures, and a checklist of immediate and ongoing steps when a breach occurs. Don’t get caught “flat footed”, attempting to decide on, and implement, a procedure after the breach.
California’s Breach Notification Law
California’s Breach Notification Law requires any person or organization conducting business in California, as well as any local or state government agency, that owns or licenses “computerized data” containing personal information to notify any California resident whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person as the result of a security breach. Cal. Civil Code § 1798.82(a). The law provides a flexible standard, rather than a “bright line” rule, requiring companies and organizations that own or license the data to notify individuals “in the most expedient time possible and without unreasonable delay.” Id. However, service provider organizations who maintain such data on behalf of other businesses or organizations must notify the owner or licensee of the data immediately in the event of a suspected data breach. Cal. Civil Code § 1798.82(b). When a data breach affects more than 500 California residents, the law also requires that organizations notify the Attorney General of the incident. See Cal. Civil Code § 1798.82(f). Such breaches have been reported to date since 2012, and their frequency is growing. It should be noted that California’s Breach Notification Law does not require notification when the data is encrypted. Thus, companies and organizations have a strong incentive to protect their customers’ personal information through the use of encryption.
A company’s failure to maintain reasonable security safeguards to protect personal information from unauthorized access can result in significant exposure to liability, including, civil and class action lawsuits, shareholder derivative suits, enforcement actions by the Federal Trade Commission as well as other federal and state regulators, and enforcement actions by state attorneys general.
To help minimize exposure to monetary loss and liability resulting from a data breach, companies and organizations (and their Boards and managers) should make cybersecurity a top priority in their overall management. In particular, startups and companies launching new products or software should consult with their attorneys early on in the process to analyze any privacy or security risks that may be present in new product development. Consideration should be given to purchasing cyber insurance, which can greatly mitigate risks related to data incidents.
Cyber-attacks are a very real threat that can undermine your business if not properly handled. If you have any questions about the content of this month’s Advisor, please feel free to contact me or the BFAS attorney with whom you regularly work.
Nathan R. Hardy, Attorney
DISCLAIMER: This Advisor is one of a series of business, real estate, employment, estate planning and tax bulletins prepared by the attorneys at Buynak, Fauver, Archbald & Spray, LLP. This Advisor is not exhaustive, nor is it legal advice. You should discuss your particular situation with us or with your own attorney. Our legal representation is only undertaken through a written engagement letter and not by the distribution or use of this Advisor.
 California Data Breach Report (Feb. 2016), available at https://oag.ca.gov/breachreport2016 (“California Data Breach Report”).
 Please note there is a separate data breach notification law that applies to licensed health facilities. See Cal. Health & Safety Code § 1280.15. This law requires such organizations to report breaches of patient information to the California Department of Public Health and to affected patients within 15 business days after detection of a breach, unless doing so would impede a law enforcement investigation.
 Forty-eight states, including California, now have breach notification laws requiring companies and organizations to notify individuals when their personal information has been breached. Alabama and South Dakota are now the only states without breach notification laws.
 See Barlyn et Cohn, Companies use insurance to guard against ransomware (Reuters), Santa Barbara News-Press, p. B-1 (May 20, 2017).