In 2002, California became the first state in the union to enact a data breach notification law. The statute requires California businesses or businesses that own or license computerized data that includes personal information of California residents to disclose when there has been a breach of a security system used to protect that data. Since 2002, California has slowly increased the scope of personal data subject to the notification law, and the information that must be disclosed in the notice when a breach occurs. Beginning in January 1, 2014, California will become the first state to require California businesses or businesses possessing data of California residents to disclose a breach of users’ online account information.
The new legislation amends the state’s Civil Code to require disclosure of the breach of “[a] user name or email address, in combination with a password or security question and answer that would permit access to an online account.” This likely includes a breach of a username and password associated with an email account, a social networking service, or an online game subscription. Increasingly, businesses have chosen to disclose such breaches voluntarily to get ahead of the curve and be as transparent as possible with their customers about privacy and security of personal information. The legislation makes the disclosures mandatory, and creates new requirements on the content of the notice and the means by which it is delivered.
The new law creates specific notification options and requirements when a breach of online account information occurs. The business can give electronic notice to the affected account holders by “promptly” directing them to change their passwords, security questions or answers or to take other steps appropriate to protect the online account with the person or business, and all other online accounts, for which the person uses the same user name or email address and password or security question or answer.
This notice method applies only where the only information that has been breached is a user’s online account information. If other information, such as a user’s first and last name plus a social security number is breached, the business must comply with the notice provisions set forth in Civil Code section 1798.82(j). However, if the breached account is an email account, the business cannot give notice to affected users via email. Instead, they can give notice by any other means specified in that section of the Code or by “clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an Internet Protocol address or online location from which the person or business knows the resident customarily accesses the account.”
Because many businesses that are currently affected by data breaches don’t possess the types of personal information that have been subject to the existing statutory breach notices, those data breaches have gone unreported. The new legislation will very likely have the effect of increasing the number of data breaches reported and the number of companies required to report, at least in the near term.
The amended California breach notification statute will become effective on January 1, 2014. Businesses collecting and storing data of consumers who are California residents where the data contains user names or email addresses, along with passwords and security answers for accessing online and email accounts, should become familiar with the new law. These businesses should assess their current data security procedures and breach incident response plans in order to ensure future compliance with the amended statute in the event of a security breach incident.
Additionally, the expansion of the California breach notification law to cover user names and email addresses may have a significant influence nationwide, aiding the movement to pass similar amendments to the existing breach laws in 45 other states, as well as proposed federal breach notification legislation in Congress.
Finkel Law Group, with offices in San Francisco and Walnut Creek California, has worked with many companies that collect and retain personal consumer information and assisted them with privacy policies, security policies and protocols, and notification and disclosure requirements imposed by federal and California law. When you need intelligent, insightful, conscientious and cost-effective legal counsel to assist you with how you protect and manage personal information collected from consumers, please contact us at (415) 252-9600, or info@finkellawgroup.com to speak with one of our attorneys about your matter.