On September 30, 2014, California Governor, Jerry Brown, signed into law Assembly Bill No. 1710, which amends various sections of the California Civil Code that relate to personal information privacy (the "Amendment"). The Amendment will take effect on January 1, 2015, and seeks to enhance the protection of personal information of California residents by making the below described changes to California's existing laws.
1) Prohibiting the Sale of Security Numbers
Under existing law, California Civil Code Section 1798.85 prohibits a person or entity from publicly posting or displaying a social security number, among other things. Assembly Bill 1710 amends this section so it now prohibits a person or entity from selling, advertising the sale of or offering to sell an individual's social security number. The amended statute explicitly provides that "release of an individual's social security number for marketing purposes is not permitted." The new law does, however, allow the release of a security number i) if the release is incidental to a larger transaction and is needed to identify the individual in order to serve a legitimate business purpose, and ii) if the release is for a purpose "specifically authorized or specifically allowed by federal or state law."
2) Requiring Notifying Entities or Persons to Offer Identity Theft Protection and Mitigation Services
In the event of a security breach involving the personal information of a California resident, California Civil Code Section 1798.82 currently requires businesses or persons to notify affected individuals (and in some cases, the California Attorney General) and specifies the information required to be included in the notification.
The amended statute now requires the source of a data breach to make available identity theft prevention and mitigation services, if any, at no cost to the affected individuals for at least twelve (12) months if the breach exposed or may have exposed an individual's first name or first initial and last name, in combination with their social security number and/or driver's license number or California identification card number.
3) Requiring Organizations that "Maintain" Personal Information about Californians to Implement Security Procedures
Assembly Bill No. 1710 also amends Civil Code Section 1798.81.5, which statute is intended to encourage businesses to protect the personal information of California residents. The current law applies to businesses that "own or license" personal information concerning a California resident and requires such businesses to "implement and maintain reasonable security procedures and practices . . . to protect the personal information from unauthorized access, destruction, use modification, or disclosure." The amended statute now also applies to businesses that merely "maintain" personal information about a California resident and requires such businesses to also adopt and implement reasonable security measures. The legislation provides that the term "maintain" includes "personal information that a business maintains but does not own or license."
Businesses or persons that handle personal information about California residents should start taking measures now to ensure compliance with California’s new laws on personal information privacy.
Businesses that "maintain" personal information should review the types of personal information they handle and analyze their current data security procedures to make sure they have data security procedures in place that are appropriate to the nature of the information handled. Even though courts, legislators and regulators have not yet offered comprehensive guidance on what constitutes "reasonable" security procedures and practices, affected businesses need to become familiar with the new law and look to Federal Trade Commission reports and enforcement orders, which may provide insight on what may be considered to be "reasonable."
Relevant businesses should analyze how social security numbers are being used in their organization, and implement policies and procedures to make sure the numbers are not used for marketing purposes, and that they are not sold, advertised for sale or offered for sale.
In situations where breached entities are required to provide identity theft prevention and mitigation services to affected individuals under amended Civil Code Section 1798.82, companies that contract with third parties to offer such services may want to make sure that contractual restrictions are in place that require the third party to make clear that any offer for additional, paid services to individuals who engage them for the free services, is being made by the third party and not the breached entity.