California recently passed a law updating its breach notification requirements and making it the first state to expand the definition of personal information to expressly include login credentials for online accounts.
The California legislature passed Senate Bill (S.B.) 46 in early September 2013 and the Governor signed it into law on September 27. S.B. 46 amends the text of California Civil Code Section 1798.82, the existing data breach notification law applicable to private businesses and a companion provision, California Civil Code Section 1798.82, applicable to government agencies. These were the first such laws in the United States (in effect since July 1, 2003). California has previously amended these laws to address issues such as expanding the definition of personal information to include medical and health insurance information and to require Attorney General notice for breaches affecting more than 500 California residents. The latest amendments become effective as of January 1, 2014.
Previously, California’s notification law required businesses to notify affected consumers only if a security breach involved an individual’s first name or first initial and last name in combination with any one or more of the following unencrypted data elements: social security number; driver’s license number or California identification card number; account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; medical information; or health insurance information.
The new law includes two key changes:
First, it expands the definition of “personal information” by adding user names or email addresses, in combination with a password or security question and answer that would permit access to an “online account.” Hence, companies would be required to notify individuals if and when their passwords, usernames, or security question and answers are compromised or stolen.
Second, the new law introduces options in the notification for breaches of personal information involving user names and email accounts that are not available for breaches involving other types of personal data.
Specifically, the law contemplates scenarios where a breach involves: (a) non-email account login information, (b) email account login information, or (c) both account login information and other types of personal information.
For breaches involving non-email account login information, businesses may comply with notification obligations by providing notification in electronic or other form directing the affected individuals to change their password, security question or answer, or take other appropriate steps to protect their breached accounts.
For breaches involving email account login information, notification should not be made to the affected email address. Instead, the obligation can be satisfied using other existing notification methods—such as written notice or “substitute” notice as provided for under the breach notification law—or providing clear and conspicuous notice delivered to an IP address or online location that the business knows the consumer often uses to access the breached account.
For breaches involving both account login information and other personal information, the notification must be provided in accordance with existing notice requirements.
These additions to California’s notification law may also prove significant elsewhere because businesses maintaining online account information that must provide notice of a breach to California residents as a result of the new provisions may also notify similarly situated affected individuals in other jurisdictions in the same manner. Additionally, the new California requirements may encourage amendments to the 45 other existing state breach laws and to proposed federal breach notification legislation. For instance, the Committee on Energy and Commerce in the U.S. House of Representatives is considering adding provisions to upcoming breach notification bills requiring notification of breaches of consumers’ online account information. California’s S.B. 46 could serve as a model for how Congress approaches drafting these new provisions.
Adnan Zulfiqar, an associate in our Washington D.C. office, contributed to this post.