Following a recent spate of security breaches in the headlines, California signed into law a security breach requirement which builds on the existing personal information protection requirements in the State by:

  1. requiring that if breach notification is made by the person or business responsible for the breach, that person or business must offer to provide “appropriate identity theft prevention and mitigation services, if any,” to the affected person at no cost for not less than 12 months if the breach exposed or may have exposed specified personal information;
  2. expanding the requirement for businesses to implement and maintain reasonable security procedures and practices to not only businesses that own or license certain defined personal information about a California resident but also to businesses that maintain such information, which catches many more business. This provision now also requires that if the business discloses such information to a third party, it must require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure; and
  3. prohibiting the sale, advertisement for sale, or offer to sell of an individual’s social security number, except as specified.Covered personal information is relatively broad and includes an individual’s first name or initial and last name in combination with any of the following (if neither is encrypted or redacted): social security number, driver’s license, medical information, financial account number in combination with password or access code, etc.

The law becomes effective on January 1, 2015.

ACTION ITEM 

Businesses, including California employers, should review their:

  1. breach notification policies and procedures to ensure their ability and preparedness to comply with the additional requirements; and
  2. third party contract process to make sure that if disclosing the defined personal information about a California resident (such as a California employee) to a third party, contractual obligations are imposed on that third party to implement and maintain reasonable security procedures and practices.