California Data Breaches Require Identity Protection Services

California has long set the standard for protection of its residents’ personal information. California’s constitution explicitly recognizes a right to individual  privacy and California’s legislature has been on the forefront of privacy laws,  passing the first data breach notification law in the country in 2003. California’s  current Attorney General, Kamala Harris, has focused on strengthening privacy  protections for California citizens since she took the office in January 2011. Harris created the Privacy Enforcement and Protection Unit in the Department  of Justice, which focuses on protecting consumer and individual privacy through civil prosecution of state privacy laws. Harris’ office has also released two data  breach reports, analyzing data breaches affecting California residents and  providing recommendations for strengthening legal protections, many of which  have become legislation.

On September 30, 2014, Gov. Edmund G. Brown signed AB 1710 into law,  amending existing law to impose even stricter regulation on businesses with  access to personal information about California residents, and further cementing California’s status as a leader in privacy protections. The changes implemented  by the bill and effective January 1, 2015, include the following:

1. Twelve Months of Identity Protection

If a business is required to notify a California resident that it is the source of a  data breach that exposed or may have exposed a resident’s social security  number, driver’s license number or California identification card number, that  business now is also required to offer to provide appropriate identity theft  prevention and mitigation services at no cost to the affected person(s). These  services must be provided for not less than twelve months and the responsible business must provide affected California residents the necessary information to  take advantage of the offer. The bill leaves for later interpretation what is  included in “identity theft prevention and mitigation services”; the language  suggests that this is more than simple credit monitoring.

2. “Maintained” Personal Information

Personal information about California residents that is “owned or licensed” by a  business is already subject to Civil Code Section 1798.81.5’s requirement for  reasonable security. Generally, this section of the Civil Code requires businesses  to implement and maintain reasonable security procedures and practices  appropriate to the nature of the information to protect itfrom unauthorized access, destruction, use, modification or disclosure. With the passage of AB 1710,  personal information that is “maintained” by businesses will also be  subject to Section 1798.81.5’s requirements.

This change significantly expands the reach of the general security requirements.  The distinction made in this amendment may reach companies,  such as payroll processors, that provide personal information to businesses in  outsourcing arrangements, which were not previously subject to the reasonable  security requirements.

3. Sale of Social Security Numbers

Prior to the amendment, Civil Code 1798.85 specifically prohibited businesses  from a number of actions with respect to social security numbers, including, for  example, posting or displaying social security numbers publicly, requiring  unsecured or unencrypted web transmission of social security numbers and, with  some exceptions, printing social security numbers on mailed materials,  among other prohibited actions.

The September amendment adds selling,  advertising for sale or offering to sell the social security number of California  residents to the list of prohibited activities. The prohibition does not apply to the release of a social security number if it is incidental to a larger transaction and necessary to identify the individual in order to accomplish a legitimate business  purpose. There is also an exception for a release of a social security number for a purpose specifically authorized or allowed by federal or state law. The law is  clear that businesses are prohibited from releasing social security numbers for  marketing purposes or to sell social security numbers.

All businesses should take heed of these changes to California law, as they affect any business holding personal information of California residents, regardless of  the location of the business. Companies are advised to review their security  policies and procedures for compliance with the new laws.

Written by Sharon R. Klein and Melissa L. Nuñez.

Sharon R. Klein is a Partner in Pepper Hamilton, LLP’s Orange County, CA office and leads Pepper’s Privacy, Security and Data Protection practice.

Melissa L. Nuñez is a Corporate and Securities Associate in Pepper’s Orange  County, California office.


One response to “California Data Breaches Require Identity Protection Services

  1. While Almonte’s group didn’t victory the competition (regulations prevented him frompitching every game), it definitely wasn’t hisfault.Also visit my blog post; http://www.uborka-Novorossiysk.Ru

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s