A new California law could impact the way businesses across the country deal with customers’ personal information. On September 30, 2014, Governor Jerry Brown signed Assembly Bill No. 1710 into law, expanding requirements on persons or businesses that own or license personal information of a California resident and extending those requirements to persons or businesses that “maintain” the personal information of a California resident. While these new requirements only apply to the personal information of the California resident, businesses across the country with an online presence, and many without an online presence, likely maintain personal information on at least some California residents.
California law already required businesses that owned or licensed personal information about California residents to implement reasonable security procedures to prevent the unauthorized access, destruction, use, modification, or disclosure of the information, and it required these businesses to disclose a breach of its security procedures.
The new law expands these requirements to businesses that maintain the personal information of a California resident. The statute defines “maintain” broadly to mean personal information that a business maintains but does not own or license, which leaves open the possibility that possessing, in any way, the personal information of a California resident could subject a business to these requirements.
A notification of a breach in a business’s security procedures must be written in plain language, and it must include:
- The name and contact information of the reporting person or business;
- A list of the types of personal information that were or are reasonably believed to have been the subject of a breach;
- If the information is possible to determine at the time the notice is provided, then any of the following: (i) the date of the breach, (ii) the estimated date of the breach, or (iii) the date range within which the breach occurred;
- The date of the notice;
- Whether notification was delayed as a result of law enforcement investigation if that information is possible to determine at the time the notice is provided;
- A general description of the breach incident, if that information is possible to determine at the time the notice is provided;
- The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a social security number or a driver’s license or California identification card number; and
- Additional information that, at the discretion of a notifying person or business, may be disclosed.
In addition to requiring businesses to notify a California resident of a security breach involving his/her personal information, the law requires a notifying party that offers to provide identity theft prevention and mitigation services as a result of the security breach to make such an offer at no cost to the affected person for not less than 12 months if the breach exposed or may have exposed the person’s social security number, driver’s license number, or California identification card number. It also requires such an offer to be accompanied by all necessary information to take advantage of the offer.
Finally, AB 1710 further limits the permissible use of a California resident’s social security number. California law already prohibited a person or entity from:
- Publicly posting or displaying in any manner an individual’s social security number;
- Printing an individual’s social security number on any card required for the individual to access products or services provided by the person or entity;
- Requiring an individual to transmit his or her social security number over the Internet, unless the connection is secure or the social security number is encrypted;
- Requiring an individual to use his or her social security number to access an Internet Web site, unless a password or unique personal identification number or other authentication device is also required to access the Internet Web site; and
- Subject to limited exceptions for applications and forms sent by mail, printing an individual’s social security number on any materials that are mailed to the individual, unless state or federal law requires the social security number to be on the documents to be mailed.
To that list, AB 1710 adds a prohibition on a person or entity:
6. Selling, advertising for sale, or offering to sell an individual’s social security number.
If you have any questions regarding California’s new data protection requirements or data protection requirements in other jurisdictions, please contact Linda McReynolds at lgm@commlawgroup.com /703-714-1318.