On January 1, 2014, S.B. 46 became effective, extending California’s data breach notification requirements to a new area: individual online user accounts. Companies should take note of this significant development. It is a substantial enlargement of the notification burdens that many companies face (in particular, those that conduct business in California and that own or license computerized data including personal information), and it is indicative of, and may prefigure, other jurisdictions’ efforts to update their privacy laws to ensure online privacy in emerging areas.
Prior to S.B. 46, a business that owned or licensed computerized “personal information” had to “disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”[1] “Personal information” was defined as “an individual’s first name or first initial and last name” in combination with one or more additional data elements.[2] These data elements included a variety of individual identifiers: Social Security numbers; driver’s license or state identification card numbers; bank, credit, or debit card numbers (when combined with the account’s access or security code, or password); medical information; and health insurance information.[3] “Personal information” does not include information that is publicly available through federal, state or local government records.[4]
S.B. 46 amends and expands California’s data breach notification laws to provide privacy protections for residents in a new sphere, namely, online user accounts. To achieve this, the new law broadens California’s definition of “personal information.” More specifically, under S.B. 46, “personal information” will include “a user name or email address, in combination with a password or security question and answer that would permit access to an online account.”[5]
In addition, under S.B. 46, the kind of notification that businesses are required to provide affected persons depends on the kind of personal information that is lost in a data breach. Where an online account is breached but none of the data elements noted above is lost (for example, there is no loss of the user’s first and last names in combination with, say, his or her Social Security number), businesses may notify the account user through the online account.[6] In such a case, the business would simply direct the user to change his or her account password and/or security questions or answers or, where applicable, to take other appropriate steps.[7]
In contrast, where there has been a breach of the “login credentials for an email account furnished by . . . the business,” it is possible that an unauthorized person will have assumed control of the user account, rendering notification through the account ineffective or counterproductive. To guard against this, S.B. 46 provides that in such circumstances businesses may not comply with their legal obligations by giving “notification to that email address,” but instead must give notice in other ways (e.g., though written notice or, in certain situations, a substitute form of notice, such as a conspicuous posting on the business’s Internet website page).[8] Businesses may also comply with their notice obligations in these circumstances by providing “clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an Internet protocol address or online location from which the person or business knows the resident customarily accesses the account.”[9]
Recommendations
S.B. 46 became effective on January 1, 2014. Companies or organizations that conduct business in California and that own or license computerized data including personal information may need to review their privacy and data security procedures to ensure that they meet the new requirements of S.B. 46.
Companies should also be aware that S.B. 46 could be seen as a model for legislation in other states (or even the federal government) to address the emerging data security issues related to online user accounts. Since 2002, 46 states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving some form of personal information.[10] S.B. 46 will continue to fuel that trend, perhaps giving impetus to other jurisdictions to amend their data breach notification requirements. State laws in this area vary considerably, but at a minimum, S.B. 46 foreshadows further expansions of, and complications in, states’ privacy laws.
[1] Cal. Civ Code §1798.82(a).
[2] Id. § 1798.82(h).
[3] Id. § 1798.82(h)(1)-(5).
[4] Id. § 1798.82(5)(i)(1).
[5] Cal. Civ. Code § 1798.82(h)(2) (amended 2013, effective January 1, 2014).
[6] Id. § 1798.82(d)(4).
[7] See id.
[8] See id. § 1798.82(j)
[9] See id. § 1798.82(d)(5).
[10] See National Conference of State Legislatures, State Security Breach Notification Laws, available at http://www.ncsl.org/issues-research/telecom/security-breach-legislation-2012.aspx. As of mid-2013, Alabama, Kentucky, New Mexico and South Dakota did not have notification statutes for personal information breaches.
Published January 17, 2014.
