Home Home About Us Practice Areas Our Attorneys Press & Publications Events Diversity Pro-Bono Careers
FOLLOW US:

Digital Media, Technology & Privacy Alert >> California Amends Data Breach Notification Rules, Which “May” Include Free Credit Monitoring

October 24, 2014

California Governor Edmund G. Brown Jr. has now signed into law a bill that amends the state’s data breach rules – including a provision that references the provision of free credit monitoring, though the law does not appear to make these services mandatory.

Background
In 2003, California became the first state in the United States to enact a security breach notification law, requiring businesses that own or license personal information of California residents to notify people of unauthorized access to their unencrypted information.

In light of data losses experienced by retailers, financial institutions, and other businesses in early 2014, a number of California legislators proposed legislation that seemingly would have required companies that are the source of a breach involving customers’ personal information to offer identity theft and credit monitoring services at no charge to affected customers for two years. None of the 47 states with security breach notification laws currently require the provision of credit monitoring services.

The actual bill passed by the California Assembly and Senate, and that has recently been signed into law by Governor Brown, pulls back significantly from that initial proposal.

Credit Monitoring
One section in an early version of the bill provided that where a person or business that was the source of a data breach provides notification (as required by California law) of the data breach, “an offer to provide appropriate identity theft prevention and mitigation services, such as credit monitoring, shall be provided at no cost to the affected person for not less than 24 months….” The cost of providing these credit monitoring services, depending upon the scope of the breach, could be very significant.

The bill as passed and signed into law, however, provides that where a person or business that was the source of a data breach provides notification (as required by California law) of the data breach, “an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months ...” (Emphasis added.)

The addition of “if any” to the text of the bill makes it clear that an offer of “identity theft prevention and mitigation services” such as credit monitoring must be provided at no cost to affected persons for 12 months if those services are offered in the first place by a company that was the source of the data breach.

Two Additional Changes
The new California law also contains two other changes.

First, existing California law imposes certain security practices and post-breach notification requirements on individuals and entities that own or license computerized data that includes personal information. The new law applies these requirements to businesses that own, license and/or “maintain” this type of personal information. This clarifies that mere possession of personal information can trigger obligations under the law.

Second, the new law makes it clear that, generally speaking, companies may not “[s]ell, advertise for sale, or offer to sell” an individual’s Social Security number. Under the law, “sell” does not include the release of an individual’s Social Security number if the release is incidental to a larger transaction and is necessary to identify the individual in order to accomplish a legitimate business purpose; nevertheless, release of an individual’s Social Security number for “marketing purposes” is not permitted.

Bottom Line

With the passing of California’s new data breach bill, companies that are the source of a breach involving personal information, and that have a duty to notify customers of the breach under California law, should carefully evaluate any offer to provide identity theft and mitigation services (which may include credit monitoring).  Further, any company that merely possesses personal information of California residents should be aware of its obligations under the law.