California Enacts Tough New Privacy Protections
Client Alert | 3 min read | 10.02.14
On September 30, 2014, California Governor Jerry Brown signed into law Assembly Bill 1710, which contains a new set of personal information protections that affect all businesses that "own, license, or maintain personal information about Californians." In what may become a precedent for other jurisdictions, the law includes the nation's first mandatory state requirement for breached entities to offer breach mitigation services – including credit monitoring – to all affected individuals. Further, the law includes new restrictions on the sale of social security numbers (SSNs). These amendments to the existing California Civil Code Sections 1798.81.5, 1798.82, and 1798.85 will take effect on January 1, 2015.
While offering some sort of breach mitigation services has become common practice for breached entities, California will now require any notifying entity that is the source of a breach to "offer to provide appropriate identity theft prevention and mitigation services … at no cost to the affected person for not less than 12 months." This obligation will apply only to breaches involving Californians' names combined with an SSN, driver's license number, or California ID number.
California has also expanded the scope of its pre-breach privacy protections by including, in addition to business that "own or license" personal information about California residents, businesses that simply "maintain" such information. Now "a business that owns, licenses, or maintains personal information about a California resident" is required to "implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification or disclosure." This could have a significant impact on service providers tasked with maintaining covered information.
Finally, the new law limits the sale of social security numbers. While carving out an exception for "release of an individual's social security number if the release … is incidental to a larger transaction," the law states that businesses may not "sell, advertise for sale, or offer to sell an individual's social security number."
The bill that passed left out some of the more stringent provisions included in an earlier proposal. Based on industry comments, the bill's co-sponsors removed provisions that included limits on the amount of payment information a retailer could store in its system as well as more stringent encryption standards. Nevertheless, this new law will affect a broad range of businesses and anyone else who "maintains" the personal information of California residents, and those businesses should review the new requirements carefully to understand their compliance requirements.
Contacts
Insights
Client Alert | 2 min read | 07.15.26
CMMC Phase II Suspension Requires Reconsideration of Such Requirements in Solicitations
As discussed in more detail here, the U.S. Department of War (DoW) recently issued a memorandum (Memo 26-P-1023, dated July 13, 2026) directing the immediate suspension of Cybersecurity Maturity Model Certification (CMMC) Phase II requirements (Level I and II self assessments are still permitted). Significantly, the memo directs that “all pending and future CMMC implementation milestones across DoW solicitations and contracts are held in abeyance until further notice.” Moreover, the DoW issued a memorandum on implementing these requirements (available here), directing agencies to issue amendments removing CMMC Level 2 and 3 requirements from active solicitations “as soon as practicable.” Contractors should monitor the government’s compliance with this requirement and should be prepared, if needed, to file a bid protest to protect their rights.
Client Alert | 3 min read | 07.15.26
Client Alert | 3 min read | 07.14.26
Client Alert | 3 min read | 07.13.26
Amici Rally Behind Liberty Global, Urging Tenth Circuit to Rein in Economic Substance Doctrine

