Businesses in California now have added motivation to protect residents’ personal information after Gov. Jerry Brown signed A.B. 1710 into law Sept. 30, 2014, amending the state’s data breach notification law.
Effective Jan. 1, 2015, the new law requires companies that experience a data breach to not only notify affected people, but also provide “appropriate identity theft prevention and mitigation services” at no cost for at least 12 months, if the breach exposed or may have exposed specified personal information. The law also expands the scope of protections for personal information and prohibits the sale of individuals’ Social Security numbers.
“Recent breaches emphasized the need for stronger consumer protections and awareness. The retailers affected by the recent mega data breaches are not the first nor will they be the last,” said Assemblymember Roger Dickinson, D-Sacramento, and co-sponsor of the law. “A.B. 1710 will increase consumer privacy, ensure appropriate fraud and identity theft protection, and safeguard against the exploitation of personal information,” he added.
Specifically, the law:
Requires the source of the breach to offer credit monitoring services at no cost to the affected persons for no less than 12 months. The new requirement applies only if the breach involved Social Security numbers, driver’s license numbers or California identification card numbers, but not credit card account numbers or other personal information.
Prohibits the sale of Social Security numbers, except when part of a legitimate business transaction.
Expands existing personal information data security obligations to businesses that maintain personal information, in addition to those that own or license such information.
For this purpose, personal information refers to an individual’s first name or first initial and last name in combination with any one or more of the following data elements:
A. Social Security number.
B. Driver’s license number or California identification card number.
C. Bank account number, or credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account.
D. Medical information.
Roy Maurer is an online editor/manager for SHRM. Follow him @SHRMRoy
To read more on shrm.org, please click here.