Update Your Company Policies: California Breach Notification Law Amended
Starting January 1, 2020, San Diego and California businesses will have expanded notification obligations if there has been a data breach of unencrypted personal information. Your company policies and procedures will need to be updated. At the end of the most recent session, the State Assembly passed Assembly Bill 1130 (“AB 1130”) which redefines “personal information” to encompass all types of data that might be used to personally identify customers, patients, or clients. Governor Newsom signed AB 1130 into law on October 11, 2019. See text of AB 1130 here. Updating your company’s written policies and procedures should be done in consultation with an experienced San Diego corporate attorney. If there is a breach, one key fact with respect to the amount and extent of subsequent liability will be the nature, breadth, and effectiveness of your internal privacy protection policies. There are hundreds of data breaches every year and they are expensive for companies experiencing them.
The push to amend California’s breach notification law came as a response to the massive data loss by the Starwood hotel chain in September 2018. The stolen data during a cyber-hack included data on 383 million unique guests and included names, home and email addresses, phone numbers, dates of birth, payment card data, and passport numbers. California Attorney General Xavier Becerra championed the amendments as a way to close a data protection gap and to “ensure that our state remains the nation’s leader in data privacy and protection.”
Under the old rules, affected persons were entitled to notification if a breach compromised the following types of information:
- Social security number
- Driver’s license
- California identification card number
- Medical or health data (if such could be used to specifically identify a person)
- Insurance data (if such could be used to specifically identify a person)
- Account, credit, debit, or other user-ID number if combined with a loss of security, password, or access codes
- License plate recognition data
The newly amended data breach notification law expands that definition to include:
- Biometric data — fingerprint, retina, iris images, facial recognition data, and similar
- Tax identification numbers
- Passport numbers
- Military identification numbers
- Other government identification numbers “commonly used to verify the identity of an individual”
There was significant debate in the State Assembly about what to include in the updated definitions. As such, the new definition of “personal information” was not as expansive as it could have been. For example, the new statute excludes photographs, digital images, and body/face reconstruction data from the definition of “personal information” where those photos/images/reconstructions are not used or stored for the purpose of personal identification or personal recognition. Further, the new act retains the rule that notification is only necessary if the information was not encrypted. Customers and clients do not need to be notified of a breach if the data that was stolen or accessed was unreadable or not usable because of encryption.
Contact San Diego Corporate Law Today
For more information, contact attorney Michael Leonard, Esq., of San Diego Corporate Law. Mr. Leonard can be reached at (858) 483-9200 or via email. Mr. Leonard provides a full panoply of legal services for businesses including formation of corporate entities of all types. Like us on Facebook.