Getting More Personal: California Amends Data Security Law

Davis Wright Tremaine LLP

California’s data security statute will get a little more “personal” as of January 1, thanks to a recently-passed amendment revising the definition of covered personal information.

On July 14 California expanded the definition of “personal information” under its data security statute with the enactment of A.B. 1541 effective January, 2016. Specifically, the definition of “personal information” will then include (a) a username or e-mail address combined with a password or security question and answer for access to an online account; and (b) health insurance information. Health insurance information is defined to include (1) an individual’s insurance policy number or subscriber identification number; (2) any unique identifier used by a health insurer to identify the individual; or (3) any information in an individual’s application and claims history, including any appeals records.

The data security statute essentially requires businesses that own, license, or maintain residents’ “personal information” to establish reasonable security procedures. The law also requires businesses that share personal information with other parties, such as vendors, to ensure by contract that the vendor establishes reasonable security procedures.

This amendment, which takes effect on January 1, 2016, essentially brings the definition of personal information in the data security statute into harmony with California’s data breach notification law. According to one legislative committee, the addition of usernames and passwords to the definition of personal information was in part due to the fact that residents “use the same password or username or answer to a security question for some or all of their online accounts.” Consequently, a “breach of one online account can have a cascading effect upon the user’s other accounts.” Neither statute includes a definition of an online account.

Entities that maintain personal information of customers and are subject to California law will  need to review and revise their data security and data breach notification policies and procedures to ensure compliance with the amendment before the changes go into effect next January.

Please refer to Davis Wright Tremaine’s data breach notification summaries for information regarding breach notification requirements that your business may be subject to.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Wright Tremaine LLP | Attorney Advertising

Written by:

Davis Wright Tremaine LLP

Davis Wright Tremaine LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.