California Enacts Tough New Privacy Protections
Client Alert | 3 min read | 10.02.14
On September 30, 2014, California Governor Jerry Brown signed into law Assembly Bill 1710, which contains a new set of personal information protections that affect all businesses that "own, license, or maintain personal information about Californians." In what may become a precedent for other jurisdictions, the law includes the nation's first mandatory state requirement for breached entities to offer breach mitigation services – including credit monitoring – to all affected individuals. Further, the law includes new restrictions on the sale of social security numbers (SSNs). These amendments to the existing California Civil Code Sections 1798.81.5, 1798.82, and 1798.85 will take effect on January 1, 2015.
While offering some sort of breach mitigation services has become common practice for breached entities, California will now require any notifying entity that is the source of a breach to "offer to provide appropriate identity theft prevention and mitigation services … at no cost to the affected person for not less than 12 months." This obligation will apply only to breaches involving Californians' names combined with an SSN, driver's license number, or California ID number.
California has also expanded the scope of its pre-breach privacy protections by including, in addition to business that "own or license" personal information about California residents, businesses that simply "maintain" such information. Now "a business that owns, licenses, or maintains personal information about a California resident" is required to "implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification or disclosure." This could have a significant impact on service providers tasked with maintaining covered information.
Finally, the new law limits the sale of social security numbers. While carving out an exception for "release of an individual's social security number if the release … is incidental to a larger transaction," the law states that businesses may not "sell, advertise for sale, or offer to sell an individual's social security number."
The bill that passed left out some of the more stringent provisions included in an earlier proposal. Based on industry comments, the bill's co-sponsors removed provisions that included limits on the amount of payment information a retailer could store in its system as well as more stringent encryption standards. Nevertheless, this new law will affect a broad range of businesses and anyone else who "maintains" the personal information of California residents, and those businesses should review the new requirements carefully to understand their compliance requirements.
Contacts
Insights
Client Alert | 3 min read | 12.10.24
Fast Lane to the Future: FCC Greenlights Smarter, Safer Cars
The Federal Communications Commission (FCC) has recently issued a second report and order to modernize vehicle communication technology by transitioning to Cellular-Vehicle-to-Everything (C-V2X) systems within the 5.9 GHz spectrum band. This initiative is part of a broader effort to advance Intelligent Transportation Systems (ITS) in the U.S., enhancing road safety and traffic efficiency. While we previously reported on the frustrations with the long time it took to finalize rules concerning C-V2X technology, this almost-final version of the rule has stirred excitement in the industry as companies can start to accelerate development, now that they know the rules they must comply with.
Client Alert | 6 min read | 12.09.24
Eleven States Sue Asset Managers Alleging ESG Conspiracy to Restrict Coal Production
Client Alert | 3 min read | 12.09.24
New York Department of Labor Issues Guidance Regarding Paid Prenatal Leave, Taking Effect January 1
Client Alert | 4 min read | 12.06.24