Home arrow Politics & Politicians arrow State Issues arrow California About to Enhance Data Breach Law
User Login





Lost Password?
No account yet? Register
Guard My Credit Menu
Home
- - - THE ISSUES - - -
Fraud and Scams
Credit Issues
Identity Theft
Podcasts
Privacy Issues
Our Children
Politics & Politicians
- - ACTION CENTER - -
Guard My Credit Links
Books to Read
Helpful Software
Helpful Pamphlets
- - - - - - - - - - - - - - -
About ACCESS
Contact Us
About Our Site
Guard My Credit Hits
1866504 Visitors
California About to Enhance Data Breach Law PDF Print E-mail

September 28, 2007 - California was the first state in the country to have a data breach notification law. The law has served as a model for other states; a majority of which now require consumers to be notified when their personal data is lost or stolen. Now California is about to make major modifications to its law which will up the ante for many business operating within the state. If Governor Arnold Schwarzenegger signs the bill now sitting on his desk, the cost to businesses for data breaches involving California residents is about to get much higher.

As with the current law, the new law will affect any business that does business with California residents, even if the business doesn't have a physical presence in the state. It will regulate the way that businesses store data, what data they can legally store, and what they have to do in the event of a breach. More importantly, it will pass most of the costs associated with a data breach directly back to the business that causes it. The present law doesn't accomplish this.

Data Storage

Under the revised law, any business that uses and stores personal information on California consumers would have to develop a data retention policy. The policy would have to describe the type of data stored, what that data would be used for and how it will be disposed of. The policy would specifically have to contain a time limit for the storage of personal consumer information.

All businesses would be barred from storing payment related data, including credit card numbers and PIN numbers even if these numbers are encrypted. Payment data used to authenticate a transaction could only be stored until the bank making payment authorized the transaction.

The law would also bar businesses from transmitting personal consumer data over a network without using encryption. Companies would also have to limit access to consumer data to employees with a need-to-know.

Financial Liability

California's current law only requires businesses to notify consumers of a data breach when the business owns the consumer data being stored. But when a business has a consumer breach involving data that they don't own, their obligation is to notify the other business that owns the data. That second business then becomes responsible for notifying consumers of the data breach.

For example, if an online store has a data breach involving 1 million credit cards issued by a single bank, then the store must only notify that bank of the breach. In turn, the bank must then notify individual consumers and the bank all of the costs associated with that notification. The bank is also responsible for the costs associated with issuing new credit cards.

Under the new law, if the online store mentioned above was responsible for the data breach, then it would have the financial responsibility for notifying consumers and for issuing new credit cards. The only exception to this is if the store can prove that it is in compliance with all of the data storage standards outlined in the law.

Expansion of the Term "Personal Information"

All data breaches involve the release of "personal information". Current California law defines "personal information" as a person's first name or initial, their last name and any one of the following:

  • Their Social Security Number
  • An account number such as a credit card, bank or checking account
  • A driver's license number
  • A state issued ID card number

The new law will also include medical and insurance information. Specifically, any information pertaining to medical conditions, medical history, mental disease, health insurance policy numbers, or medical claims history will now be considered personal information. A breach of this data would require notification to be sent to affected consumers.

This expanded definition has the potential to impact any business that maintains employee records with health care information contained within them. It should help prevent the growing crime of Medical identity theft; the use of stolen insurance information by those without insurance coverage to receive medical treatment.

Conclusion

ACCESS supports the provisions of California's new law. If the governor signs the bill, the updated provisions would take effect on July 1, 2008. Minnesota is currently the only other state with a similar law on its books.

by Jim Malmberg

Note: When posting a comment, please sign-in first if you want a response. If you are not registered, click here. Registration is easy and free.

Comments

Only registered users can write comments.
Please login or register.

 
 
Guard My Credit Polls
Poll #154 - Why did you visit our site today?
 
Support Us
ACCESS is a non-profit, tax exempt consumer advocacy group.

Donations are tax deductable.
 
Go to top of page
Home | Contact Us |About Us | Privacy Policy
05/16/2008 09:42:02