On September 30, 2014, Gov. Edmund G. Brown signed AB 1710 into law, amending existing law to impose even stricter regulation on businesses with access to personal information about California residents. California has long set the standard for protection of personal information, and AB 1710 further cements California’s status in this regard. The changes are effective January 1, 2015.
The changes implemented by the bill include the following:
1. Twelve Months of Identity Protection
If a business is required to notify a California resident that it is the source of a data breach that exposed or may have exposed a resident’s social security number, driver’s license number or California identification card number, that business now is also required to offer appropriate identity theft prevention and mitigation services at no cost to the affected person(s). These services must be provided for not less than 12 months, and the responsible business must provide affected California residents the necessary information to take advantage of the offer. The bill leaves for later interpretation what is included in “identity theft prevention and mitigation services” – the language suggests that this is more than simple credit monitoring.
2. “Maintained” Personal Information
Personal information about California residents that is “owned or licensed” by a business is already subject to the requirement in Civil Code Section 1798.81.5 for reasonable security. Generally, this section requires businesses to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect it from unauthorized access, destruction, use, modification or disclosure. With the passage of AB 1710, personal information that is “maintained” by businesses also will be subject to these requirements.
This change significantly expands the reach of the general security requirements. The distinction made in this amendment may reach companies, such a payroll processors, that provide personal information to businesses in outsourcing arrangements, which were not previously subject to the reasonable security requirements.
3. Sale of Social Security Numbers
Before the amendment, Civil Code 1798.85 specifically prohibited businesses from a number of actions with respect to social security numbers, including, for example, posting or displaying social security numbers publicly, requiring unsecured or unencrypted web transmission of social security numbers and, with some exceptions, printing social security numbers on mailed materials, among other prohibited actions.
Last week's amendment adds selling, advertising for sale or offering to sell the social security number of California residents to the list of prohibited activities. The prohibition does not apply to the release of a social security number if it is incidental to a larger transaction and necessary to identify the individual in order to accomplish a legitimate business purpose. An exception is also allowed for a release of a social security number for a purpose specifically authorized or allowed by federal or state law. The law is clear that businesses are prohibited from releasing social security numbers for marketing purposes or to sell social security numbers.
All businesses should take heed of these changes to California law, as they affect any business holding personal information of California residents, regardless of the location of the business. Companies are advised to review their security policies and procedures for compliance with the new laws. In the event of a data breach, Pepper can assist with a state-by-state analysis of the required disclosures and actions, including those specifically required in California.