Identity Theft: Addressing the Problem in California

1
Identity Theft Addressing the Problem in
California

• Joanne McNabb, Chief
• CA Office of Privacy Protection

2
Outline of Presentation

• Office of Privacy Protection
• CA Law on Notification of Security Breach (SB
  1386)
• CA ID Theft Laws and FACTA

3
Office of Privacy Protection Mission

• Promote and protect the privacy interests of
  individuals in a manner consistent with the
  California Constitution.
• Identify consumer privacy problems and facilitate
  development of fair information practices.

4
Office of Privacy Protection Functions

• Offer assistance to consumers
• Provide information education
• Coordinate with law enforcement
• Recommend best practices to protect individual
  privacy

5
Why People Contact OPP
6
The CA Constitution Federal Preemption

• California Constitution, Article 3, 3.5
• An administrative agencyhas no power
• (c) To declare a statute unenforceable, or to
  refuse to enforce a statute on the basis that
  federal law or federal regulations prohibit the
  enforcement of such statute unless an appellate
  court has made a determination that the
  enforcement of such statute is prohibited by
  federal law or federal regulations.

7
CA Identity Theft Data Protection Laws in FACTA

• Blocking of ID theft info in credit files
• CA Civil Code 1785.16(k), 1785.16.1,
  1785.16.3,1785.20.3(b) FCRA 605B
• Victim access to documents on fraudulent accounts
  
• CA Penal Code 530.8 FCRA 609(e)

• Credit card number truncation
• CA Civil Code 1747.9 FCRA 605(g)
• Destruction of customer records
• CA Civil Code 1798.81 FCRA 628

8
CA Identity Theft Laws Not in FACTA

• Right of victim to get police report
• CA Penal Code 530.6
• Rights of criminal ID theft victim
• CA Penal Code 530.6-530.7
• Right of victim to bring action vs. claimant
• CA Civil Code 1798.93

• Right of victim to 12 free credit reports in year
  
• CA Civil Code 1785.15.3(b)
• Right to freeze credit files
• CA Civil Code 1785.11.2 et seq.
• Burden of proof on debt collector in ID theft
• CA Civil Code 1788.18

9
CA Data Protection Laws Not in FACTA

• Ban on public display of SSNs
• CA Civil Code 1798.85 et seq.
• Ban on recording personal info on credit card
  transactions
• CA Civil Code 1747.8
• Ban on recording credit card on checks
• CA Civil Code 1725

• Limits on use of personal info swiped from DL
• CA Civil Code 1798.90
• Secure mailing of convenience checks
• CA Financial Code 22342(d)
• Requirement to notify of security breach
• CA Civil Code 1798.29, 1798.82 et seq.

10
Contacts on ID Theft Security Breaches
thru 4/14/04
11
CA Notice of Security Breach Law

• Applies to person, company, state agency
• Must notify people in the most expedient time
  possible and without unreasonable delay if
  personal information is acquired by unauthorized
  person

Civil Code 1798.29, 1798.82 1798.84
12
Notice of Security Breach Law

• Applies to unencrypted, computerized data
  including personal info
• Personal info defined
• First name or initial and last name, plus
• SSN,
• DL, or
• financial account number and any PW.
• Time allowed for
• internal analysis to determine scope, and
• law enforcement investigation

13
Notice of Security Breach Law

• Notice may be
• Written, or
• Electronic, or
• Substitute if 250,000 or 500,000
  people
• Substitute notice must be all of
• Email when agency has addresses
• Web site posting
• Major statewide media

14
The Notification Test

• Was there a "breach of the security" of the data
  as defined?
• Does the data include personal information" as
  defined?
• Does that "personal information" relate to a
  California resident?
• Was the "personal information" unencrypted?
• Was the "personal information" acquired, or
  reasonably believed to have been acquired, by an
  unauthorized person?

15
Examples of Incidents

• Hacking into server containing file w/ names
  SSNs
• Stolen computers w/ names SSNs
• Documents containing names SSNs mailed to wrong
  people
• Server hijacked for use as relay to download
  music or to send spam (server has files with
  names, SSNs, etc.)

16
Best Practices Document

• Recommended Practices on Notification of
  Security Breach Involving Personal Information
• Protection Prevention
• Preparation for Notification
• Notification (with sample letters)
• Available on Web site on Recommended Practices
  page

17
Contact Information

• Joanne McNabb, Chief
• 400 R Street, Suite 3080
• Sacramento, CA 95814
• 916-322-4420
• joanne_mcnabb_at_dca.ca.gov
• www.privacy.ca.gov