A perennial trendsetter with regard to data security and privacy, California has updated its state law with tweaks that expand the scope of the privacy protections for state residents.
A.B. 1710 made three changes to existing law that go into effect January 1, 2015: first, businesses that maintain “personal information” about California residents must “implement and maintain appropriate and reasonable security procedures and practices” to protect the data from “unauthorized access, destruction, use, modification, or disclosure.” Personal information is defined to include an individual’s first name or first initial and last name, Social Security number, driver’s license number, as well as medical and financial account information.
Second, if a person or business was “the source” of a data breach and offers to provide identity theft prevention and mitigation services to affected individuals, the business must offer the services at no cost for at least 12 months. Some controversy has swirled around this provision, with debate on whether the language actually requires businesses to provide one year of free identity theft protection and mitigation services or if the law simply requires that if the services are offered, they last for 12 months and are provided gratis. Additional guidance may be forthcoming.
Finally, the new legislation prohibits a business from “selling, offering for sale, or advertising for sale” Social Security numbers. Limited exceptions were noted in the bill, including “if the release