Selling or buying stolen data illegal in California

Published on

In the past decade, several large-scale data breaches have resulted in troves of personal information (PI) and other data falling into the hands of malicious actors. For instance, in 2013, the records of over a billion users were compromised from the email system of Yahoo, including names, birth dates, phone numbers, passwords, backup email addresses, and security question answers. More recently, a massive breach of Facebook's databases compromised the PI of over 533 million users from 106 countries, including over 32 million records on users in the United States. These data included phone numbers, Facebook IDs, full names, locations, birthdates, bios, and, in some cases, email addresses.

In many cases, the incentive to steal this data lies in the sizable value of these databases on illicit markets. Reports indicate that in the case of the Yahoo breach, three buyers – two known spammers and an entity that appeared more interested in espionage – paid about $300,000 each for a complete copy of the database. The data lifted from Facebook allegedly sold initially for tens of thousands of dollars, and continued to circulate on illicit markets for lower prices until it was finally published online for free.

California decided to fight back against this illegal market by adopting AB 1391 this year, signed by the Governor in October. Under current law, most activity to hack consumer data is illegal. However, the law is less clear as to whether selling data obtained from a hack or buying such data is illegal.

AB 1391 makes it unlawful for a person to sell data, or sell access to data, that the person has obtained or accessed pursuant to the commission of a crime and will also make it unlawful for a person, who is not an authorized person, to purchase or use data from a source that the person knows or reasonably should know has obtained or accessed that data through the commission of a crime.

This law has several implications for California businesses. First, it may help prevent some breaches of data by unauthorized actors by increasing the risk. Second, it should give any business pause that purchases prospect lists, particularly if there is any reason to believe that the seller did not obtain the data legally. Third, this may provide a tool to businesses when an employee leaves with customer data, as it could result in criminal penalties for the employee if he or she attempts to sell or sell access to that customer data.

This law goes into effect on January 1, 2022. We will watch closely to see how California law enforcement takes advantage of this new tool to fight customer data breaches.