Earlier this month, the California legislature voted to expand the scope of the state’s Security Breach Notification Law (Section 1798.82 of the California Civil Code). The current law requires all businesses operating in California, including those with an e-commerce presence in the state, to notify customers who are California residents when the security of the resident’s personal information held by a company has been breached. SB-46, which was passed on September 10th, expands the scope of the Security Breach Notification Law in three key ways.
First, the amendment expands the definition of “personal information” to include “username or email address, in combination with a password or security question and answer that permits access to an online account.” This broadens the scope of the current definition of personal information, which applied only to information containing an individual’s first name/ first initial and last name in combination with any one of the following forms of personal information: (1) social security number; (2) driver’s license or California identification number; (3) account number and security code, pin number, or password permitting access to an individual’s financial information; (4) medical information; or (5) health insurance information.
Second, the amendment provides businesses with a less burdensome notification process for email service providers. Currently, all businesses subject to a security breach must notify customers who are also California residents with a long list of information concerning the breach: (1) name and contact information of the business; (2) forms of personal information breached; (3) estimates date and time of the breach; (4) date of the notice; (5) whether notification was delayed as a result of a law enforcement investigation; (6) general description of the breach; and (7) contact information for credit reporting agencies if the breach exposed an individual’s social security or driver’s license number. The amendment would allow email service providers to either follow the onerous method above, or “by clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an Internet Protocol address or online location from which the business knows the resident customarily accesses the account.”
Finally, the amendment provides a streamlined notification process for breaches of online account information. The new process allows business to comply with the notification process by simply providing the relevant information in “electronic or other form that directs the person whose personal information has been breached promptly to change his or her password and security question or answer, as applicable, or to take other steps appropriate to protect the online account with the business and all other online accounts for which the person whose personal information has been breached uses the same user name or email address and password or security question or answer.”
If the amendment is signed by Governor Jerry Brown, it will force California businesses to re-think their existing information security policies. The more stringent provisions of SB-46 also parallel efforts by the FTC to strengthen consumer privacy protections at the federal level (i.e., lobbying Congress to give the FTC the authority to impose civil penalties on companies for inadequate security measures), and in the European Union – which recently passed a law obligating electronic service providers to notify customers within 24 hours of a security breach.
Our firm will be continuing to monitor developments concerning SB-46, and if the legislation becomes law, we will notify our clients. For more information about the firm’s privacy practice, please visit our website or contact Linda McReynolds, Certified Information Privacy Professional (CIPP/US), at firstname.lastname@example.org.