On September 30, 2014, the Governor of California signed Assembly Bill 1710, which made three small but important changes to the state’s privacy laws. The bill: (1) amended California’s breach notification law to require that the notifying entities offer identity theft protection services to affected individuals in certain cases; (2) required California businesses that “maintain” personal information on state residents to adopt reasonable security procedures to protect that personal information (a requirement that previously only applied to businesses that own or license such data); and (3) amended the state’s Social Security Number (“SSN”) protection law to prohibit the sale or advertisement for sale of such numbers, with limited exception. The bill will become effective January 1, 2015. Having been the first state to enact a breach notification law, California continues to be at the cutting edge of state efforts to deal with cybersecurity.
California’s amended breach notification statute is the first in the country to affirmatively require that breached entities provide identity theft prevention services to affected individuals. While many breached entities (including Target, and Neiman Marcus) offer credit monitoring or similar services in the wake of a breach, and several state Attorney General’s Offices, including Vermont, previously issued guidance recommending that breached companies offer such services, that action is not required by any of the breach notification laws effective in 47 U.S. states and the District of Columbia. The amended California statute requires any notifying entity that “was the source of the breach” to offer affected individuals “appropriate identity theft prevention and mitigation services . . . at no cost to the affected person” for at least one year. Importantly, this requirement only triggers when an individual’s name in addition to their social security number, driver’s license number or California ID number were acquired by an unauthorized person as a result of a breach. While California residents must also be notified of a breach that compromised their financial account numbers and security codes, medical information or health insurance information, in such cases the notifying entity would not be required to provide identity theft services.
The new bill also expanded the number of California companies legally obligated to implement reasonable data security practices. Under previous law, any California business that “owns or licenses” personal information regarding California residents was required to adopt reasonable security practices to protect that personal information from “unauthorized access, destruction, use, modification or disclosure.” The amended statute also requires businesses that merely “maintain” personal information to adopt the same reasonable security practices. The term “maintain” is defined only within the context of what it means to “own or license” data, as the amended statute defines “maintain” as including “personal information that a business maintains but does not own or license.” A business “owns” or “licenses” personal information that it “retains as part of the business’ internal customer account or for the purpose of using that information in transactions with the person to whom the information relates.”
Finally, the bill expanded the state’s SSN protection law by prohibiting the sale of such numbers, in most cases. Under previous law, no person or entity could, among other things, publicly post or display a SSN to the general public, require that an individual transmit their SSN online unless the number is encrypted or the connection is secure, or print an SSN on a card the individual must use to access products or services. The amended law also makes it illegal to “sell, advertise for sale, or offer to sell an individual’s [SSN]” unless the number is “incidental to a larger transaction and is necessary to identify the individual in order to accomplish a legitimate business purpose.” The statute is explicit that “[r]elease of an individual’s [SSN] for marketing purposes is not permitted.”