California Amends Data Security Breach Notification Law

February 12th, 2015
Data Security-Privacy

by Larry Kunin and Patrick McKenzie

Continuing a growing nationwide trend in adopting more stringent data breach laws, California recently amended its security breach notification law—California Civil Code Section 1798 et. seq.—effective January 1, 2015. While this law applies to companies doing business in California, companies in other states that have an office in California will also have to comply.  Minnesota and Florida also amended data security laws over the past several months in response to highly publicized data breaches such as the one involving Target.

The California security breach notification law requires persons or businesses that own or license personal information about California residents to implement and maintain reasonable security procedures to protect “unauthorized access, destruction, use, modification, or disclosure” of such information. A.B. 1710. The person or business is also required to disclose to the affected individual any security breaches that result in the acquisition of such personal information by any unauthorized persons.

The new amendment expands the current law to also cover persons or businesses that “maintain” personal information, even if they don’t own or license it. In addition, the amendment provides that if the person or business that is the source of the breach “offer[s] to provide appropriate identity theft and mitigation services, if any, to the affected person” such services must be provided “at no cost for not less than 12 months.” Id. (emphasis supplied). Finally, the security breach notification law now prohibits the sale of, advertisement for sale of, or offer to sell an individual’s social security number.

It is noteworthy that the phrase “if any” does not appear to require the provision of identity theft prevention and mitigation services, but instead requires that if such services are provided, they must be provided at no cost for at least 12 months.

Companies that conduct business across the country should be on alert for additional changes in data breach laws, as the trend of creating more stringent laws is likely to continue.

The information presented is for educational and informational purposes and is not intended to constitute legal advice. Readers should consult their professional advisor.  Any opinions expressed within this article are solely the opinion of the featured author and not of Morris, Manning & Martin, LLP.