On September 30, 2014, California took further steps to protect the personal information of its residents by amending several sections of its breach notification and information security laws (Cal. Civ. Code §§ 1798.81.5, 1798.82 and 1798.85). The amended law, which is effective January 1, 2015, updates existing law in three significant ways:
Under current law, businesses that own or license personal information about a California resident must implement reasonable security procedures and practices appropriate to the nature of the information. This requirement is expanded to also include entities that merely “maintain” such personal information.
Under current law, businesses that own or license personal information may be required to issue a security breach notification to affected individuals in the event of a breach where an individual’s social security number or driver’s license number may have been exposed. The amended law provides that if the entity providing the notification was the source of the breach, an offer to provide identity theft prevention or mitigation services, if any, must be made at no cost to the affected person for at least 12 months, along with all information necessary to take advantage of the offer. The breach notification requirement does not apply to entities that merely “maintain” personal information. Given the words “if any,” and the ambiguity as to whether those words refer to the availability of credit monitoring services in the marketplace or to whether the business has chosen to offer it, it is not clear from the law whether this constitutes an absolute requirement to offer credit monitoring services to affected individuals. That said, we note that the bill’s co-author, Assemblyman Roger Dickinson, stated his view in a recent interview with Law360 that the offer to provide credit monitoring services is mandatory when a driver’s license number or social security number was breached.
Under current law, a business may not publicly disclose an individual’s social security number or engage in other acts that might compromise its security. The amended law clarifies that except as permitted by law, a person or entity may not sell, advertise for sale, or offer to sell an individual’s social security number.
For purposes of #1 above, the amended law defines the term “maintain” to include personal information that a business maintains but does not own or license. This appears to include entities that host or otherwise retain data for others, such as “cloud” storage companies and businesses that collect information but do not own or license it. These entities will need to implement and maintain reasonable security procedures and practices to the extent that the data it collects contains personal information. That said, the law provides that such security procedures and practices are scalable; they should be “appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”