Legal Question in Business Law in California

Re: Identity theft

I don't know if there is a law on the books, but if you are aware of the possible theft and do not notify the person whose identity might have been compromised, you could be deemed to be negligent, and responsible for their damages.

Re: Identity theft

There is federal law on the issue, but even without that law the business would be liable for more damages if they don't immediately notify and take action to protect the customer. There is already liability for the loss and damages; not notifying the customers would make it worse. The business needs a good attorney at this point, to help minimize the problems. Contact me if interested.

Re: Identity theft

California law on identity theft generally places the initial burden on the victim, i.e. to notify the credit granter, bank, store, etc. of a possible theft of his/her identity. Then, the data base owner must investigate and, of course, the victim is absolved of liability in most instances. See Penal Code sections 530.6 to 530.8 and Civil Code sections 1798.92 to 1798.97.

Although I found no reported case saying so, I believe under conventional negligence theory a data base holder who has experienced a break-in would be liable to victims of any identity theft resulting from the hacking on non-statutory grounds of either (1) failure to keep the data secure, or (2) failure to timely report the hacking and possible data theft. These would not necessarily be easy cases to win; it would take good proof of all the elements of negligence.

As one of the prvious answers points out, federal legislation tends to cover this field, since much of the activity affects interstate commerce and/or federally-regulated institutions such as national banks. I don't have the citations to the U.S. Code handy but you could probably find them on line.