California Becomes First State to Require Credit Monitoring Services Information Following a Data Breach
An amendment to the California data breach notification statute requires companies that experience a data breach to include information in the notification that if identity theft prevention and mitigation services are provided, they must be provided for at least 12 months to affected persons at no cost if the breach exposed or may have exposed certain personal information. This is the first time any state has imposed such mandates. The new law, AB 1710, signed by Governor Jerry Brown on September 30, 2014, also expands the application of safeguard requirements for personal information and further prohibits certain uses and disclosures of Social Security numbers. The new law becomes effective January 1, 2015.
New Identity Theft, Credit Monitoring Notification Mandates
Currently, California and 46 other states require entities that own or license certain personal information to notify individuals whose personal information has been involved in a data breach. No state has broadly required entities with a breach notification obligation to provide credit monitoring services or “identity theft prevention and mitigation services” to affected persons. Of course, many companies have provided such services, and State Attorneys General have urged businesses to extend such services.
The new law appears to require that if identity theft prevention and mitigation services are provided, the data breach notification must inform the affected persons that the services will be provided for at least 12 months and at no cost, and that it also must include information on how to obtain the services.
The amendment adds the following to the breach statute (Cal. Civil Code 1798.82(d)(2)(G)):
If the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed personal information defined in subparagraphs (A) and (B) of paragraph (1) of subdivision (h).
The new requirement applies only if the breach involved Social Security numbers, driver’s license numbers or California identification card numbers, but not credit card account numbers or the other elements of personal information in the existing California law.
Current California law provides that entities covered by HIPAA (Health Insurance Portability and Accountability Act) are deemed to comply with the notice requirements in Cal. Civil Code 1798.82(d) if they comply with the breach notification obligations under HIPAA. (The California law does not mention business associates.) It is not clear whether compliance with the HIPAA breach notification obligations also would comply with the new identity theft prevention and mitigation services notification requirements, since the new requirements seem beyond the scope of a notice requirement, when identity theft prevention and mitigation services are offered. Covered entities will have to be careful and consider the preemption provisions under HIPAA.
Safeguarding Personal Information
California requires businesses that own or license personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information and to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. To “own or license” means that a business retained personal information as part of its internal customer account or for the purpose of using that information in transactions with the person to whom the information relates.
AB 1719 expands this requirement to businesses that “maintain” personal information; that is, personal information a business keeps, but does not own or license. This is a significant expansion of the safeguard requirement. Businesses maintaining the personal information of California residents should increase their safeguards for that information, whether it applies to customers, employees, students, or other residents.
Personal information means:
an individual’s first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
(A) Social security number.
(B) Driver’s license number or California identification card number.
(C) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
(D) Medical information (any individually identifiable information, in electronic or physical form, regarding the individual’s medical history or medical treatment or diagnosis by a health care professional).
This obligation does not apply to providers of health care, health care service plans, or contractors regulated by the state Confidentiality of Medical Information Act.
Prohibitions on Sale, Marketing of Social Security Numbers
California also maintains specific protections for Social Security numbers, including prohibiting persons or entities from publicly posting or displaying an individual’s Social Security number or doing certain other acts that might compromise the security of an individual’s Social Security number, subject to certain exceptions.
AB 1710 prohibits the sale, advertisement for sale, or offer to sell an individual’s Social Security number. The prohibition does not extend to the release of Social Security numbers when it is incidental to a larger transaction and is necessary to identify the individual to accomplish a legitimate business purpose. This exception, for example, might apply in a sale of a business and records containing Social Security numbers are released to the buyer. However, release of an individual’s Social Security number for marketing purposes is not permitted. Additionally, the release of an individual’s Social Security number for a purpose specifically authorized or specifically allowed by federal or state law is not prohibited by AB 1710.
Likely in response to media reports of data breaches and the alarming number of complaints of identity theft received by federal and state agencies, states have been making their breach notification and data security laws tougher. (For example, see our article on recent amendments to Florida’s law.) Companies need to be aware of these changes and review and update their security incident response plans, as well as their overall risk assessment.