Quirky Question #243 – More on Breach Notification Laws
Can you tell me what has been happening in California regarding breach notification laws?
Answer: By Melissa Krasnow
Continuing the trend of changes in state breach notification and related laws, Cal. A.B. 1710 amends California’s breach notification, security procedures, and Social Security number (SSN) laws in the wake of significant data breaches, particularly in the retail sector. (See “Changes in State Breach Notification Laws.”)
Cal. A.B. 1710 will become effective on January 1, 2015. State, federal, and foreign breach notification and related laws should continue to be monitored carefully regarding changes.
Breach Notification—Identity Theft Prevention and Mitigation Services
The primary change to California’s breach notification law is a first-of-its-kind requirement. Where a person or business was the source of a breach, the person or business providing breach notification must offer to provide appropriate identity theft prevention and mitigation services, if any, at no cost to an affected individual for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed his or her first name or first initial and last name, together with any of the following data elements, where the name or the data elements are not encrypted:
- Driver’s license number or California identification card number
By comparison, where Florida’s breach notification law requires a breach notification to its state regulator, such breach notification must include any services related to the breach being offered or scheduled to be offered, without charge, by the covered entity to individuals and instructions as to how to use such services. Fla. Stat. § 501.171. Previously, offering to provide identity theft prevention and mitigation services in a breach notification has been a practice versus a legal requirement under state breach notification laws.
A potential consequence of this change is that identity theft prevention and mitigation services also could be offered to residents of other states where they are similarly impacted by the same breach. From a practical standpoint, a provider must first be engaged to provide identity theft prevention and mitigation services. Engagement of these providers, including costs, should be taken into account in breach preparation, including in incident response plans.
California’s security procedures law expands its application by adding the definition of “maintain,” meaning personal information that a business maintains but does not own or license. Accordingly, a business that owns, licenses, or maintains personal information about a California resident must implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
Also, a business that discloses personal information about a California resident under a contract with a nonaffiliated third party that does not own, license, or maintain such personal information must require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
Written information security programs, security procedures, and practices, and contractual provisions regarding security procedures and practices should be revisited in light of the expanded application of California’s security procedures law.
California’s SSN law adds a prohibition on the sale, advertisement for sale, or offer to sell an individual’s SSN. However, this prohibition does not apply to the release of an individual’s SSN (1) if the release of the SSN is incidental to a larger transaction and is necessary to identify the individual in order to accomplish a legitimate business purpose (but the release of an individual’s SSN for marketing purposes is prohibited) or (2) for a purpose specifically authorized or specifically allowed by federal or state law.
SSN policies and practices should be reviewed and updated regarding this additional prohibition.
This article was first published on IRMI.com and is reproduced with permission. Copyright 2014, International Risk Management Institute, Inc.