From Lexology, October 1 2013, Sam Zun of Paul Hastings, LLP, “California Expands Data Breach Notification Requirements.”
The Updated Data Breach Notification Rules – Practical Implications and Open Questions
The new legislation, S.B. 46, expands the definition of “personal information” to include “[a] user name or email address, in combination with a password or security question and answer that would permit access to an online account.” S.B. 46, Sec. 2. Under the new law, which goes into effect on January 1, 2014, a business which suffers a data breach that exposes usernames, passwords or security questions and answers is subject to the notification requirements outlined in the existing statute.
The implications of this amendment are far-reaching—nearly every business that offers personalized services (including free services) online requires the use of usernames and passwords, and most use security questions and answers as a backstop for forgotten passwords. Thus, the new legislation potentially imposes data breach notification requirements on a host of additional businesses. Businesses potentially affected by S.B. 46 should consider taking, at a minimum, the following steps:
- Store usernames, passwords, and security questions and answers in encrypted form, as only access to unencrypted personal information triggers disclosure obligations;
- Include in user terms and conditions a consent to electronic notification, to avoid having to provide written hard-copy notification in the event of a breach;
- Develop an internal protocol, consistent with the amended Cal. Civ. Code § 1798.82, for responding to reported or suspected security breaches.
One question that remains unanswered is how S.B. 46 will impact businesses that cannot immediately confirm whether potentially affected users are actually California residents. A number of online services allow users to self-report a home address, while others do not request that information at all. Businesses that fall into that category face some uncertainty regarding the scope of their obligations under S.B. 46.
Leave a Reply