California Credit Law Blog

In 2008, clients Jayni and Dan Fontaine applied for life insurance from New York Life Insurance Company. To be approved, they had to pass medical exams. As part of the exam process, they provided their personal identifying information. Their information and that of over 100 other persons went into a computerized database accesible by New York Life representatives. Two identity thieves in Sacramento then hacked into the database stealing the Fontaine's personal information.

The identity thieves ordered merchandise and opened accounts in the Fontaine's names and others. Victims in Davis, California, complained to the police; after obtaining a search warrant, the police found incriminating evidence in the fraudsters' apartment. The FBI and U.S. Attorney later took over the case and filed criminal complaints against the pair. Both have pled guilty.

California law requires any company that suffers a databreach of personal information to promptly notify the victims. The Fontaine complaint, which was filed in Sacramento County Superior Court, alleges that New York Life Insurance did not promptly notify the victims. The Fontaines allege that the delay resulted in their credit being ruined.They are suing for damages.

As we all know, businesses collect identifying information on millions of consumers, which is stored in computerized databases. From time to time, hackers get into the system and steal the personal information. Or an employee loses a laptop containing such information. The thieves then use the personal information to open credit card accounts in consumers' names. Or order merchandise using the consumers' information. The result is identity theft on a large scale.

In 2002, California enacted the first law requiring any business that experiences a breach of its security system such that names, addresses, credit card number or social security numbers is lost must inform affected consumers in the most expedient time possible. To comply with the law, businesses typically send letters to the persons whose data was lost; however, studies showed that the letters were often too vague to be of much value.

The Legislature has now amended the law to specify that the notice letters must contain the name and contact information of the business that lost the data, a list of the types of personal information that may have been lost, and a toll-free number for persons to call for more information. The letters must also disclose the date and description of the breach incident, and what the business is willing to do to assist the consumers. This information should help consumers know how to protect their own credit from fraudsters.

Businesses that have not complied with California and other states' laws have been the target of class actions seeking damages.