Data Breach Law

PCI DSS compliance

Payment Card Industry Data Security Standards (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.

PCI Cost
For most small business, they fall onto level 4 merchants, and PCI compliance costs can be as low as $10 a month. The cost is also associated with business type, hardware, software and other factors.

PCI violation penalty: (www.pcicomplianceguide.org/faq)
The violation penalty alone can be $5000 – $100,000 per month, passing from credit brand to banks, and eventually to business owners. For most cases, business would be notified if there’s a violation of PCI compliance, they can be charged starting at least $5000, if it’s not resolved, the fine would be monthly based.

Breakdown of data breaches cost:

  • Lawyer Fee’s
  • Mandatory forensic examination: Average cost $20,000-$50,000
  • Notification to victims:
  • Credit and identity monitoring for victims of breach for up to a year
  • Setting up call center for victims:
  • Liability for fraud charges lawsuits
  • Card replacement cost: Yes, card issuers can charge you for this. Average cost $3-$10.
  • Upgrading or replacing POS system (depending on what is discovered as cause of breach)
  • External Qualified Security Assessor must be brought in to look at new POS system before your business can accept electronic payment and do a complete reassessment for PCI compliance.

California Civ. Code s. 1798.82.

(h) For purposes of this section, “personal information” means either of the following:
(1) An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
(A) Social security number.
(B) Driver’s license number or California identification card number.
(C) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
(D) Medical information.
(E) Health insurance information.
(F) Information or data collected through the use or operation of an automated license plate recognition system, as defined in Section 1798.90.5.
(2) A user name or email address, in combination with a password or security question and answer that would permit access to an online account.

California Civ. Code s. 1798.84.

(a) Any waiver of a provision of this title is contrary to public policy and is void and unenforceable.
(b) Any customer injured by a violation of this title may institute a civil action to recover damages.
(c) In addition, for a willful, intentional, or reckless violation of Section 1798.83, a customer may recover a civil penalty not to exceed three thousand dollars ($3,000) per violation; otherwise, the customer may recover a civil penalty of up to five hundred dollars ($500) per violation for a violation of Section 1798.83.

California Civil Code s. 1798.29(a) for state agencies and California Civ. Code s. 1798.82(a) for businesses). Health & Safety Code § 1280.15: Notification requirements applicable to a clinic, health facility, home health agency, or hospice licensed pursuant to Cal. Health & Safety Code section 1204, 1250, 1725, or 1745.

The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act.

These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity (or business associate, as applicable).

This is provided for informational purpose only, not legal advice. For more details on specific case, please seek for legal help.