California added new provisions to its data breach law on October 1 by signing Bill AB 1710 into law. The amendment to California’s Civil Code (1) requires entities that experience a data breach to provide identity theft prevention and mitigation services at no cost for 12 months if the notifying entity is the “source” of the breach, (2) requires entities that “maintain” personal information to implement the same safeguards to protect personal information as already required for those that own or license personal information, and (3) prohibits the sale (or offer to sell) individuals’ social security numbers. These new provisions will undoubtedly affect any business that deals with computerized personal information.
Identity Theft Services
The new law requires entities that own or license specified personal information to offer free identity theft protection and mitigation services for no less than 12 months to individuals affected by a data breach. Moreover, a data breach notice sent to affected individuals must include all information necessary to take advantage of the offer.
This new provision only applies if the notifying entity was the source of the breach and if specific personal information was involved. While the new law does not define “source,” the bill’s legislative history suggests that “source” refers to the location where the data breach occurred. To illustrate, a retailer would be the “source” of a data breach if hackers obtained consumers’ credit card information from the retailer’s computer system. It is not clear, however, if a retailer contracts with a third-party vendor, such as a cloud service provider, whether the vendor or the retailer is the source of the breach, where a breach of the vendor’s system occurs. Presumably, the vendor would be the source of the breach. This could create tension surrounding the notification to affected individuals because the retailer has a strong interest in preserving its relationship with its customers. The retailer likely will want to control the notification message to their customers, yet the vendor may be charged with the duty to notify the affected customers.
Likewise, the new identity theft protection provision only applies to particular personal information—an individual’s first name or initial and last name combined with a social security number, driver’s license number or California identification card when either the name or the data elements are unencrypted. Personal information in this context does not include financial account information or medical information. Entities should verify that they encrypt this type of personal information to avoid application of the identity theft protection provision.
Under most circumstances, HIPPA-covered entities will be exempt from this new provision. California’s existing law provides that HIPPA-covered entities complying “completely” with Section 13402(f) of the federal HITECH Act will be “deemed to have complied with” the section of California law requiring the offer of free identity theft protection services.
Safeguarding Personal Information Applies to Those Who “Maintain”
Another new provision requires entities that maintain personal information to: (1) implement and maintain reasonable security procedures and practices to protect that information from unauthorized access, destruction, use or modification, and (2) notify owners or licensees of that information “immediately following discovery” of a breach of the security of the data. The new law does not clearly define “maintain” but, again, looking at legislative history of the bill suggests the drafters intended “maintain” to refer to an entity that stores, gathers, or holds personal information like a retailer may do with a customer’s financial information, in contrast to the “owner” of such financial information which would be a financial institution.
This new provision encompasses a broader scope of personal information than that included in the new identity theft protection provision. Personal information here includes financial information such as account, credit or debit card numbers with any required security code or password, or medical information, in addition to an individual’s first name or initial and last name combined with a social security number, driver’s license number or California identification card.
Entities that maintain personal information should review their security practices and procedures to ensure any personal information implicated by this new provision is adequately protected against unauthorized access, destruction, use or modification. The reasonableness of an organization’s data security safeguards will likely be based upon its size, complexity and capabilities in order to take into account the resource limitations of smaller entities.
No Sale of Social Security Numbers
California also added new provisions to its data breach law prohibiting the sale, advertisements for sale, or offer to sell individuals’ social security numbers. While the new provisions specifically exempt releasing individuals’ social security numbers incident to a larger transaction and necessary to identify the person to accomplish a legitimate business purpose, releasing individuals’ social security numbers for marketing purposes is expressly banned.
The new additions to California’s data breach law can be found out at: http://leginfo.legislature.ca.gov/faces/billCompareClient.xhtml.