On January 1, 2014, a new data breach notification law will take effect in California (of course). The Golden State has been leading the charge for years in enacting data privacy and security standards and is poised to continue that role. These developments are important because (1) many other states tend to follow California’s lead on data privacy and security legislation, and (2) many companies follow California privacy laws because they are the strictest across the country. Certainly, for companies that collect and store data from residents of numerous states, complying with the most restrictive laws (which often are in California) is more practical and efficient than developing a state-specific patchwork of policies and procedures.
While choosing to comply with the most restrictive law makes sense in many instances, this strategy can be frustrating or even impossible to execute when a company experiences a data security breach. Indeed, while many states have modeled their breach notification laws after the California standard (in 2002 California was the first state to enact a breach notification law) there is still a great deal of variety among the different state laws regarding the breach notification requirements, including the permitted or required methods of providing notice (written, electronic, web, media publication); the entities (law enforcement, credit agencies, regulators, and others) that need to be notified; and what constitutes a breach.
California Senate Bill No. 46 further complicates the breach notification paradigm. The one consistency among the various state breach notification laws (in addition to California, 45 states, the District of Columbia and Puerto Rico have breach notification laws) has been the definition of “personal information.” That is, just about every state defines personal information to include an unencrypted individual’s first name or first initial and last name in combination with a social security number, driver’s license number, financial account information, or medical information. However, the new California law expands the definition of personal information to include a user name or email address in combination with a password or security question and answer that would permit access to an online account. Thus, the online credentials that many consumers use to access websites and many mobile applications are now considered personal information and subject to the breach notification requirements.
If a breach of this new category of personal information occurs, the entity maintaining such data may comply with its breach notice obligations through an “electronic or other form that directs the person whose personal information has been breached promptly to change his or her password and security question or answer” or to take other steps to protect their account or other online accounts that use the same credentials. However, if the breach involves credentials of an email account that is furnished by the provider, then the breach notice may not be sent to that particular email, but rather may be sent in written form via an alternative electronic notice which is consistent with the E-Sign Act, or by providing a clear and conspicuous notice that is delivered to the user when they are connected through an IP address or other online location which the provider knows is used regularly by the affected individual to access the applicable account.
Practically speaking, we expect that this amendment will result in many providers encrypting user names and/or passwords to avoid the application of the law. That said, breaches have become so common that many providers provide some type of notice to their affected customers even if they are not legally required to do so by a particular state law. As we have seen before, we also expect that other states will amend their breach notification laws to follow this California change.