Nearly every State in the Union has a data breach notification law. In general, the laws define a data breach, outlines to whom the law applies, give direction on how to notify consumers, should a company experience a data breach, and outline penalties for companies who do not comply. In this article, we will examine California’s breach law and how it may affect lost and found operations.
Breach defined – An unauthorized acquisition of data that compromises the security, confidentiality, or integrity of “Personal Information”.
To whom it applies – Any business or non-profit agency operating in the State of California. The headquarters or physical location of the organization is irrelevant; if you do business in California, you must comply with the law.
The law further states “It is the intent of the Legislature to ensure that personal information about California residents is protected. To that end, the purpose of this section is to encourage businesses that own, license, or maintain personal information about Californians, to provide reasonable security for that information.” The term “maintain” includes personal information that a business maintains, but does not own or license.
Can simply storing unclaimed devices in a company’s lost and found be considered maintenance? According to IT Attorney and Data Privacy expert, Stephen Wu, it can. “By storing and caring for lost electronic devices, it can reasonably be said that the property is maintaining the device and the information it contains,” says Wu.
It seems reasonable that any business, operating a lost and found department in California, should be very concerned about how it handles the disposition of the unclaimed, data laden, electronic devices it maintains in its’ lost and found. Since a breach is defined as an unauthorized acquisition of data, a device that is not professionally erased, before being disposed, would be considered a data breach. In other words, giving a device to the person who found it, donating to a local charity that lacks the skill or desire to erase the data, or auctioning it without professionally clearing it, would constitute a data breach.
Notification requirements – If you experience a data breach, you are required to notify the owner of the information that his information was accessed by an unauthorized person.
While it’s true a business cannot be sure that the data on unclaimed devices has been accessed after disposal, it can be reasonably sure a device that was not cleared has been. How so? It is estimated that 30% of devices contain no user password, making all the data on the device easily accessible. If a business reasonably believes that the data was acquired by an unauthorized person, it must notify the owner of the breach.
What if the device owner is not known? After all, if you had known the owner, you would have returned the device. This will make your Public Relations department cringe. The business is required to give “substitute notice”. Substitute notice shall consist of ALL of the following:
Email notice if you have an email address for the subject persons.
Conspicuous posting on the business website.
Notification to major statewide media.
Notification of statewide media can bring unwanted negative attention. This can sully your brand in ways you cannot initially quantify; ultimately, it can hurt revenue. Consider the findings in Gemalto’s 2016 Data Breaches and Customer Loyalty report. According to the report, 66% of consumers would be unlikely to do business with organizations responsible for a breach of data.
Conclusion – Securely dispose of unclaimed electronic devices. The law provides for disposal, where it says “A business shall take all reasonable steps to dispose, or arrange for the disposal, of customer records within its custody or control, containing personal information, when the records are no longer to be retained by the business by (a) shredding, (b) erasing, or (c) otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means.”
Our program completely protects your organization from data breaches caused by the improper disposal of unclaimed electronic devices. Utilizing a combination of proprietary processes and software, through our Data-Secure program, we completely erase all working devices and dispose of non-working devices in a secure and environmentally responsible manner.