As we learned this summer, online account usernames can be, well . . . somewhat embarrassing when made public.  Here in California, however, that type of username or an email address, in combination with a password or security question and answer, could soon be considered personal information.  As a result, any person or business that conducts business in California may be required to notify its users if that type of information is compromised by a data breach incident.

Along with a number of other data privacy bills, the California legislature has sent Senate Bill 46 to Governor Jerry Brown for signature.  S.B. 46, together with companion bill A.B. 1149, would amend Sections 1798.29 and 1798.82 of the California Civil Code to expand the definition of “personal information.”  This could have a wide impact, given that notification requirements following a data breach incident depend upon whether the information that was compromised constitutes “personal information” as defined by the applicable state law.

As it currently stands, California defines “personal information” to include an individual’s name in combination with that individual’s (i) social security number, (ii) driver’s license or California identification card number, (iii) account, credit or debit card number together with a security or access code that would permit access to that individual’s financial account, (iv) medical information or (v) health insurance information; where either the name or the other piece of information is not encrypted.

As amended, California’s definition of “personal information” would also include “[a] user name or email address, in combination with a password or security question and answer that would permit access to an online account.”  This expansion is significant, especially considering that the number of data breach incidents that require notification are already dramatically on the rise.  Information like emails and passwords are commonly collected by online services, so adding that type of information as a trigger for data breach notification could exponentially increase the number of persons and businesses that are subject to those requirements.

If your business collects emails, user names, passwords and/or security question information, here are 4 steps you can take to prepare for the coming changes:

  • Reassess your security measures.  Services that collect medical information or social security numbers have known for some time that they need proper protections in place to secure that information.  If your business is newly subject to data breach notification requirements, understanding your risk profile will require a fresh look at how secure your system is.
  • Understand who you share information with.  When it comes to data breach notification, you can be equally responsible if the person or entity who experiences the data breach was a third party who received the information from you.  Be sure that you understand who you share personal information with and how they protect it.
  • Consider deleting what you don’t need.  The easiest way to reduce your risk profile is to limit what you collect and retain.  Consider putting a process in place for deleting information that you no longer require, such as information related to closed accounts.
  • Have a plan.  The moment when you discover there has been a data breach is not the time to figure out your plan for what to do when you have a data breach.  There’s no time like the present to put a game plan in place that can be used in the event of an emergency.