California has long set the standard for protection of its residents’ personal information. California’s constitution explicitly recognizes a right to individual privacy and California’s legislature has been on the forefront of privacy laws, passing the first data breach notification law in the country in 2003. California’s current Attorney General, Kamala Harris, has focused on strengthening privacy protections for California citizens since she took the office in January 2011. Harris created the Privacy Enforcement and Protection Unit in the Department of Justice, which focuses on protecting consumer and individual privacy through civil prosecution of state privacy laws. Harris’ office has also released two data breach reports, analyzing data breaches affecting California residents and providing recommendations for strengthening legal protections, many of which have become legislation.
On September 30, 2014, Gov. Edmund G. Brown signed AB 1710 into law, amending existing law to impose even stricter regulation on businesses with access to personal information about California residents, and further cementing California’s status as a leader in privacy protections. The changes implemented by the bill and effective January 1, 2015, include the following:
1. Twelve Months of Identity Protection
If a business is required to notify a California resident that it is the source of a data breach that exposed or may have exposed a resident’s social security number, driver’s license number or California identification card number, that business now is also required to offer to provide appropriate identity theft prevention and mitigation services at no cost to the affected person(s). These services must be provided for not less than twelve months and the responsible business must provide affected California residents the necessary information to take advantage of the offer. The bill leaves for later interpretation what is included in “identity theft prevention and mitigation services”; the language suggests that this is more than simple credit monitoring.
2. “Maintained” Personal Information
Personal information about California residents that is “owned or licensed” by a business is already subject to Civil Code Section 1798.81.5’s requirement for reasonable security. Generally, this section of the Civil Code requires businesses to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect itfrom unauthorized access, destruction, use, modification or disclosure. With the passage of AB 1710, personal information that is “maintained” by businesses will also be subject to Section 1798.81.5’s requirements.
This change significantly expands the reach of the general security requirements. The distinction made in this amendment may reach companies, such as payroll processors, that provide personal information to businesses in outsourcing arrangements, which were not previously subject to the reasonable security requirements.
3. Sale of Social Security Numbers
Prior to the amendment, Civil Code 1798.85 specifically prohibited businesses from a number of actions with respect to social security numbers, including, for example, posting or displaying social security numbers publicly, requiring unsecured or unencrypted web transmission of social security numbers and, with some exceptions, printing social security numbers on mailed materials, among other prohibited actions.
The September amendment adds selling, advertising for sale or offering to sell the social security number of California residents to the list of prohibited activities. The prohibition does not apply to the release of a social security number if it is incidental to a larger transaction and necessary to identify the individual in order to accomplish a legitimate business purpose. There is also an exception for a release of a social security number for a purpose specifically authorized or allowed by federal or state law. The law is clear that businesses are prohibited from releasing social security numbers for marketing purposes or to sell social security numbers.
All businesses should take heed of these changes to California law, as they affect any business holding personal information of California residents, regardless of the location of the business. Companies are advised to review their security policies and procedures for compliance with the new laws.