California amended its data breach notification law at the end of September, placing new requirements on companies offering identity theft prevention and mitigation services to those affected by data breaches. Additionally, the amendment prohibits the sale or release of social security numbers except for limited purposes.
Under California’s data breach law, any company that does business with California residents and suffers a breach of its information systems must give notice of the breach to affected California residents.
It is common practice to include in the legally required data breach notices an offer of services designed to protect the affected individual from identity theft or other forms of fraud. The new amendment stops short of requiring that such offers be included in all notices. Rather, the amendment only requires that if an offer of identity theft prevention and mitigation services is voluntarily made that the services are provided free of charge and include at least one year worth of protection.
California’s breach notification law already prohibits the public posting or display of social security numbers, and the amendment further limits use of social security numbers by prohibiting their sale or release. This restriction, however, comes with some limited exceptions. The law specifically prohibits the release of social security numbers for “marketing purposes.” The law permits release where the purpose is either one sanctioned by a state or federal law or the release is “incidental to a larger transaction and is necessary to identify the individual in order to accomplish a legitimate business purpose.”
Feature Photo by justgrimes from Flickr