The exposure of the PII of more than 3,500 California residents in the database of international multi-level marketing firm Arbonne following a breach on April 23 offers a glimpse into whether the state will enforce its new privacy statute that went into effect in January.
Almost half of a four-page information sheet from Arbonne describing the hack makes multiple references to the California statute, and how the company is adhering to the requirements of Cal. Civ. Code 1798.82 (h)(2).
Arbonne disclosed that on April 23 it discovered a “data table containing limited personal information may have been accessible to [an] unauthorized actor.” The company provided preliminary notification to the impacted 3,527 California individuals, among others not mentioned in the announcement. By May 22, the California residents received additional written details about what happened and how their passwords may have been compromised. Other compromised information included user name and address.
California consumers whose information had been exposed are being offer free credit monitoring and protections against identity theft, both as required by the statute. Arbonne reported the incident to the FBI and relevant regulators, and is continuing the investigation.
Roger Grimes, data driven defense evangelist at KnowBe4, said, ”It’s unclear, possibly intentionally so, whether this is a few thousand customers impacted in California or many more customers all over the United States or global, but I bet it’s far broader than is being let on right now.”
Grimes praised California’s notification laws. “It goes to show you that mandatory notification laws are a good thing, flaws and all.”