California recently expanded its existing data breach law. The new law, which goes into effect on January 1, 2015, amends California Civil Code Sections 1798.81.5, 1798.82, and 1798.85, and requires reasonable security procedures for businesses maintaining personal information, changes how data breach notifications are handled, and adds specific protections for social security numbers.
Businesses that own or maintain personal information about California residents will be required to have reasonable security procedures that are appropriate to the nature of the information. This represents an expansion of the security requirements to vendors which receive and store other companies’ data. The procedures must protect against unauthorized access, use, destruction, or disclosure of personal information.
The statute defines “personal information” as a person’s first name (or first initial) and last name when combined with the person’s social security number, driver’s license number, credit card number (if combined with a security code that would provide access to a financial account), or medical information. If either the name or the subsequent elements are encrypted, then the data is not considered personal information.
If personal information is acquired by an unauthorized person, the company must notify the affected persons of the breach in plain language without an unreasonable delay. The notification is required to include (i) contact information for the business, (ii) the types of personal information that were part of the breach, (iii) when the breach occurred, if known, (iv) a general description of the incident, if known, and (v) if social security numbers or driver’s license numbers were exposed, the contact information for the major credit reporting agencies.
While businesses suffering a breach are not required to offer identity theft monitoring services, if they do, the service must be free to the affected person for at least 12 months.
Notice can be provided in writing or, if the affected person previously consented, by electronic means. Additionally, there is a substitute procedure for large-scale breaches. If more than 500,000 people were affected or the cost of providing notice would exceed $250,000, notice can be provided by email, conspicuous posting on the business’ website, or notification to major statewide media.
In the case of a breach that is limited to log-in information (username and password) for an online (non-email) system, the business can instead provide electronic notification that directs affected persons to change their passwords. If the login credentials for an email system are exfiltrated, the business cannot use email to provide notice. Instead, it must use the other notice methods described above, or it can provide a clear and conspicuous notice online when an affected person connects to the system from an IP address the business knows the person ordinarily connects from.
If a business shares personal information with a third party pursuant to a contract, the contract must require the third party to implement comparable security practices. If the third party suffers a data breach, it is required to notify the company from which it received the data.
The new statute also provides protections for social security numbers. Businesses will be prohibited from (i) publicly displaying social security numbers, (ii) printing social security numbers on access cards, (iii) requiring a person to transmit his or her social security number online, unless encrypted, (iv) printing a social security number on mailed materials, (v) offering to sell or selling a social security number, or (vi) encoding a social security number on a card (such as in a bar code or magnetic strip).