On Friday, September 27, California governor Jerry Brown signed a bill, S.B. 46, which increases the online protection of potential identity theft for Californians by requiring companies to give notice when a California resident’s log in data is compromised. California’s attorney general sponsored the law, which was written by Senate Majority Leader Ellen Corbett (D-East bay). The eCrime Unit of the attorney general’s office had found that criminals increasingly targeted websites with inadequate security to collect login information such as email addresses, usernames, and passwords. Due to the fact that many people use the same login information across multiple accounts, thieves of such information would be able to gain access to many of the victim’s accounts.
California law already requires companies that owns or licenses computerized data of California residents to notify residents whenever a breach of their personal information occurs. Currently, personal information under California law includes a resident’s first and last name, or first initial and last name, in combination with a social security number, driver’s license number, California identification card number, account number, credit or debit card number in combination with a security access code number, medical information, or health insurance information. S.B. 46 adds to the list of personal information - user names or email addresses, in combination with a password or security question and answer that would allow third party access to the account.
Additionally, the new California law provides electronic notification for breaches involving log in information only. A business can comply with security breach notification requirements through an electronic notification that directs a person whose information has been breached to take steps to protect the comprised online account and any other account where the login information is used - such as changing his or her password and security question or answer. The law prohibits the use of email notification in the event that the breach involved the login credentials of that email. In this circumstance, a business can notify individuals by providing clear and conspicuous notice delivered to an IP address or online location that the business knows the individuals customarily use to access the breached account, or through pre-existing breach notification methods under California law. It is also important to note that the new methods of notification only apply to a compromise of login information only. If a breach involves login information as well as other personal information, then notification must be given through pre-existing notification methods.
The new California law becomes effective on January 1, 2014. Businesses that maintain information for California residents, which include usernames, emails, passwords, and security questions and answers, will need to modify their data security procedures to account for the new notification requirements of S.B. 46 and ensure compliance. For more information regarding the details of S.B. 46, read the full text of the bill here.