On August 19, 2014, California state legislators made final amendments to a bill updating the state’s breach notification law. The amended bill, which passed the State Senate on August 21 and the Assembly on August 25, is now headed to California Governor Jerry Brown for signature. If signed, the scope of the existing law would extend to apply to entities that “maintain” personal information about California residents. Currently, only entities that “own” or “license” such personal information are required to implement and maintain reasonable security procedures and practices to protect the personal information from unauthorized access, destruction, modification or disclosure.
In addition, the bill would require notifying entities that are the source of a security breach to include in their notification an offer to provide “appropriate identity theft prevention and mitigation services” to affected individuals for not less than 12 months at no cost to the individual. The bill also would strengthen current restrictions on the use or disclosure of Social Security numbers by prohibiting selling, offering to sell, or advertising the sale of, Social Security numbers.