California, which enacted the pioneering security breach notification law in 2002, again has taken the lead in security breach notification legislation. In an effort to protect consumers against unauthorized access to their online accounts, California has extended its security breach notification law to cover individuals’ online account credentials (i.e., a user name or email address, in combination with a password or security question and answer, that would permit access to an online account) in amendments that will take effect on January 1, 2014.1 This article discusses California’s existing security breach notification obligations, as well as the changes provided for in these amendments.
California’s Existing Security Breach Notification Law
Prior to its most recent amendments,2 California’s security breach notification statute covered “personal information,” defined as an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
- Social Security number;
- driver’s license number or California identification card number;
- account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
- medical information;3 or
- health insurance information.4
Under the law, any person or business that owns or licenses computerized data that includes personal information belonging to a California resident must notify that California resident in the event his or her personal information is, or is reasonably believed to be, acquired by an unauthorized person.5 Additionally, any entity maintaining computerized data that is not owned by that person or business and that includes personal information of a California resident must notify the owner or licensee of that personal information upon discovering any such event.6 All notifications under the law must be in plain language and must include the following details:
- the name and contact information of the reporting person or business;
- a list of the types of personal information that were or are reasonably believed to have been subject to the breach;
- if possible to determine at the time notice is provided, (i) the date of the breach, (ii) the estimated date of the breach, or (iii) the date range within which the breach occurred;
- the date of the notification;
- whether notification was delayed by a law enforcement investigation, if possible to determine at the time notice is provided;
- a general description of the breach incident, if possible to determine at the time notice is provided; and
- the toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a Social Security number or a driver’s license or California identification card number.7
California’s security breach notification law has permitted notification by one of the following methods:
- written notice;
- electronic notice;8 or
- if the person or business demonstrates that the cost of providing notice would exceed $250,000, that the affected class of persons exceeds 500,000, or that the entity does not have sufficient contact information, the person or business may provide substitute notice consisting of email notice (when the person or business has an email address for the affected person), conspicuous notice on the person or business’s website (if one exists), and notification to major statewide media.9
Recent Amendments Covering Online Account Credentials
California’s recent amendments to its security breach notification law expand the set of “personal information” covered by the law to online account credentials—that is, a user name or email address, in combination with a password or security question and answer that would permit access to an online account.
The amendments also provide entities with an optional method to provide security breach notification if the breach does not involve any personal information, as defined by the law, of California residents other than online account credentials. In such an event, a person or business may elect to provide required security breach notification under the law in a form that directs the person whose online credentials were breached to promptly change his or her password and security question or security answer, as applicable, or to take other steps appropriate to protect that person’s online account with that entity and all other online accounts for which that person uses the same credentials. This notice method is optional, and a person or business required to provide notification instead may choose to use one of the other notice methods permitted under the law.
The amended statute also provides that if the online account credentials that were breached were for an email account furnished by the person or business that suffered the breach, that person or business must not provide notice of the breach to the compromised email account. Rather, that person or business may use one of the other notification methods permitted under the law, or may provide clear and conspicuous notice delivered to the affected California resident online when that resident is connected to his or her email account from an IP address or online location from which that person or business knows the resident customarily accesses his or her email account.
California’s amendments may have a significant impact on licensees and holders of online account credentials belonging to California residents. Any widely available online service will have California users, which means that nearly all providers of online services will need to be cognizant of California’s amendments taking effect on January 1, 2014.
Additionally, it is possible that other states may follow California’s lead and extend the scope of their own security breach notification statutes. When California passed its pioneering state security breach notification legislation in 2002, dozens of states followed suit with similar laws in the years thereafter. By the end of the decade, nearly all states, as well as the District of Columbia, Puerto Rico, and the U.S. Virgin Islands, had enacted legislation providing for required security breach notification. States following California’s lead on this latest development would further complicate an already complex patchwork of state laws that must be considered by entities that suffer data security incidents. In addition, California’s amendments, and any similar amendments by other states, may provide further impetus for federal data breach notification legislation. Under some proposals, such federal legislation would preempt state law and help simplify the process of notifying consumers in the event of a data security breach. Federal data breach notification legislation has been proposed on several occasions in recent years, but has yet to be passed.
Only time will tell whether other states will follow California’s lead on this issue and whether federal legislation will garner sufficient support for passage. In the interim, all entities maintaining online account credentials of California residents should be aware of this expansion of California’s security breach notification statute and should consider appropriate modifications to their data security incident-handling procedures.
1 The legislation, Senate Bill No. 46 (SB46), applies to Sections 1798.29 and 1798.82 of the California Civil Code. See http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201320140SB46. Section 1798.29 applies to California state agencies, while Section 1798.82 applies to private persons and businesses. This article focuses on the amendments to Section 1798.82.
2 California’s security breach notification legislation has been amended on two previous occasions, as discussed in WSGR Alerts available at http://www.wsgr.com/WSGR/Display.aspx?SectionName=publications/PDFSearch/clientalert_securitybreach.htm and http://www.wsgr.com/WSGR/Display.aspx?SectionName=publications/PDFSearch/wsgralert-security-breach-notification.htm.
3 “Medical information” is defined as “any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional.” Cal. Civ. Code § 1798.82(h).
4 “Health insurance information” is defined as “an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records.” Cal. Civ. Code § 1798.82(h).
5 Cal. Civ. Code § 1798.82(a).
6 Cal. Civ. Code § 1798.82(b).
7 The notification must include the toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a Social Security number or California identification card number. Cal. Civ. Code § 1798.82(d).
8 The electronic notice must be consistent with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 of the United States Code. Cal. Civ. Code § 1798.82(j)(2).
9 Cal. Civ. Code § 1798.82(j).