Tech & Sourcing @ Morgan Lewis


Data breaches continue to make headlines, ringing alarms for companies at risk and for the regulators who look to control the risks involved. Recent actions by California’s legislature and Attorney General are key developments by state government authorities and are likely signals of similar actions that other states will take. In part one of this two-part series, we discuss California’s newly amended data breach statute. In part two, we will discuss the recently released data breach report by California’s Attorney General.

California’s New Data Breach Law

On September 30, California’s governor signed Assembly Bill No. 1710 into law, which makes three important changes to California’s data breach statute.

First, the amended statute requires businesses and persons that issue breach notices to include an offer to provide identity-theft prevention and mitigation services to the affected individual(s) when certain personal information may have been exposed by the breach. The services must be offered at no cost for at least 12 months. This requirement applies when “the person or business providing the notification was the source of the breach” and when the affected individual’s first name or first initial and last name are exposed in combination with his or her unencrypted Social Security number, driver’s license number, or California identification number.

Second, the bill expands the data breach law to include businesses that “maintain” personal information about California residents. Previously, the statute applied only to businesses that own and license personal information. Although the law does not clearly define what “maintain” means, this expansion could have significant implications for customers and service providers whose service relationships involve the personal information of California residents. As amended, the law now requires data maintainers to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”

Third, the new law prohibits persons and entities from selling, advertising for sale, or offering to sell an individual’s Social Security number. Certain exceptions apply to this prohibition, including when “the release of the social security number is incidental to a larger transaction and is necessary to identify the individual in order to accomplish a legitimate business purpose.”

The amended statute becomes effective January 1, 2015. Businesses and entities that could be affected by a data breach should be mindful of this new law as they assess and allocate risks in outsourcing, commercial, and other services-related transactions that involve the personal information of California residents.