As part of a recent flurry of legislative activity with respect to online privacy, on September 27, 2013, California enacted legislation that will dramatically expand the scope of personal data subject to its notification requirements in the event of breach.
The Existing Data Breach Notification Rules
Under existing law, a California business that owns or licenses computerized data that includes “personal information” must disclose any system breach to any California resident whose unencrypted personal information was reasonably believed to have been acquired by an unauthorized person. Cal. Civ. Code § 1798.82(a). The statute currently limits the definition of “personal information” to an individual’s first name or initial, plus last name, plus one or more of the following data elements: (1) social security number; (2) California state ID number (including driver’s license); (3) any payment account number, including payment card numbers, in combination with a password or other code that would permit access to that account; (4) medical information; or (5) health insurance information. Id. § 1798.82(h). Most states and U.S. territories have enacted similar legislation.
The affected business is required to notify all potentially affected California residents “in the most expedient time possible and without unreasonable delay,” although a delay “may be permitted if a law enforcement agency determines that such notification will impede a criminal investigation.” Id. § 1798.82(a), (c). The notification must be in plain language and include (1) contact information for the business reporting the breach, (2) a list of the types of personal information potentially subject to the breach, (3) the date, approximate date, or date range during which the breach occurred, (4) whether the notification was delayed as a result of law enforcement, (5) a general description of the breach, and (6) if the breach exposed California ID or asocial security number, the contact information of the major credit reporting agencies. Id. § 1798.82(d)(1)-(2). If more than 500 California residents are to be notified, the business must also upload a sample copy of the security breach notification to the California Attorney General’s website. Id. § 1798.82(f).
The notification must be made either in writing (i.e., in hard copy) or, if the affected users have consented to electronic notification, via electronic notice. Id. § 1798.82(j)(1)-(2). If a business is required to notify more than 500,000 individuals or the notification would cost more than $250,000, the business may use “substitute notice,” which consists of all of the following: (1) email notice; (2) posting to the business’s website; and (3) notification to major statewide media and the state Office of Privacy Protection. Id. § 1798.82(j)(3).
The Updated Data Breach Notification Rules – Practical Implications and Open Questions
The new legislation, S.B. 46, expands the definition of “personal information” to include “[a] user name or email address, in combination with a password or security question and answer that would permit access to an online account.” S.B. 46, Sec. 2. Under the new law, which goes into effect on January 1, 2014, a business which suffers a data breach that exposes usernames, passwords or security questions and answers is subject to the notification requirements outlined in the existing statute.
The implications of this amendment are far-reaching—nearly every business that offers personalized services (including free services) online requires the use of usernames and passwords, and most use security questions and answers as a backstop for forgotten passwords. Thus, the new legislation potentially imposes data breach notification requirements on a host of additional businesses. Businesses potentially affected by S.B. 46 should consider taking, at a minimum, the following steps:
- Store usernames, passwords, and security questions and answers in encrypted form, as only access to unencrypted personal information triggers disclosure obligations;
- Include in user terms and conditions a consent to electronic notification, to avoid having to provide written hard-copy notification in the event of a breach;
- Develop an internal protocol, consistent with the amended Cal. Civ. Code § 1798.82, for responding to reported or suspected security breaches.
One question that remains unanswered is how S.B. 46 will impact businesses that cannot immediately confirm whether potentially affected users are actually California residents. A number of online services allow users to self-report a home address, while others do not request that information at all. Businesses that fall into that category face some uncertainty regarding the scope of their obligations under S.B. 46.