California continues to lead the way in passing new or updating existing data protection legislation.The weekly disclosure of new data breaches that involve retail and other corporations has focused the general public and state legislatures on privacy maintenance and the proper handling of consumer notifications for the breaches. Amid this climate, California continues to lead the way in passing new or updating existing data protection legislation. This LawFlash summarizes some of the new California statutory standards that will mostly take effect in 2015.
California: Bellwether State on Data Notification Standards
California has long been considered a bellwether state that initiates new trends. This leadership role has been true on data privacy matters.
For example, in 2002, California enacted the first data security breach notification law, which became effective in July 2003.[1] Today, 47 states, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands have breach notification laws.[2]
In October 2014, the California Attorney General issued the California Data Breach Report, which revealed a startling increase in data breaches. Among other issues, the report “recommended that companies should offer mitigation products or provide information on the security freeze to victims of breaches of Social Security numbers or driver’s license numbers.”[3]
California continues to break ground on new data breach standards. It will be critical to watch, therefore, whether the new statutes and standards, summarized below, may be adopted in other jurisdictions.
New California Privacy Statutes for 2015
Reflecting the focused public interest in privacy in the state, the California State Legislature recently passed a range of privacy-related bills affecting private sector activities in the last few months alone. The new privacy statutes include the following:
Second, where the notifying entity was the source of a breach involving the disclosure of Social Security or driver’s license numbers, and “if any” offer to provide identity-theft prevention or mitigation services is made, it must be made at no cost to the affected person for no less than 12 months along with all information necessary to take advantage of the offer. This bill takes effect on January 1, 2015.[6]
Conclusion
Because of California’s leading role in setting privacy standards nationwide, it remains to be seen whether a range of similar laws in other states may follow. This rising complexity, coupled with the potential for future federal engagement in this space, underline the urgency, even for smaller entities, of seeking ongoing counsel to develop and manage adequate compliance regimes that can be adapted to the evolving landscape and to maintain real-time awareness of that evolution.
Contacts
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
San Francisco
[1]. Senate Bill No. 1386 (2002) (amending Cal. Civ. Code §§ 1798.82, 1798.29), available here.
[2]. See Security Breach Notification Laws (listing jurisdictions), available here.
[3]. See 2014 California Data Breach Report, at 3 (Oct. 2014), available here; see also Barbara Melby and Christopher C. Archer, “Data Breach Developments in California (Part 2),” Sourcing @ MorganLewis (Nov. 25, 2014), available here.
[4]. 15 U.S.C. §§ 6501–6506, Pub .L. No. 105–277, 112 Stat. 2681-728 (Oct. 21, 1998).
[5]. Senate Bill No. 568 (Sept. 23, 2014), available here.
[6]. Assembly Bill No. 1710 (Sept. 30, 2014), available here; see also Barbara Melby and Christopher C. Archer, “Data Breach Developments in California (Part 1),” Sourcing @ MorganLewis (Nov. 20, 2014), available here.
[7]. Assembly Bill No. 1755 (Sept. 18, 2014), available here.
[8] 20 U.S.C. § 1232g.
[9]. Assembly Bill No. 1584 (Sept. 29, 2014), available here.
[10]. Assembly Bill No. 1442 (Sept. 29, 2014), available here.
[11]. Assembly Bill No. 1177 (Sept. 29, 2014), available here.