California has toughened up its data disclosure law, pioneering legislation enacted in 2003 that directs companies and organizations to inform individuals when their personal data is compromised.
An amendment, signed into law this week, has added three additional requirements that could have an immediate impact on your business and how it secures sensitive organizational and customer information:
• Organizations that lose certain types of data and decide to offer “appropriate identity theft prevention and mitigation services” to victims, have to do so at no cost for 12 months.
• Organizations that “maintain” personal data, not just those that own or license personal data, now must have “reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”
• Organizations can no longer sell, advertise for sale, or offer to tell someone’s Social Security number (SSN), which the law now considers illegal.
Why you should care
It appears that the legislative intent behind the law was to require companies to offer data breach victims monitoring, prevention and mitigation services. However, the wording of the bill was altered slightly to muddy the statue. Now the law simply provides that if organizations offer services to breach victims, they must do so at no cost; for a period of no less than 12 months; and deliver all the information necessary for the impacted consumers to take advantage of the offer. The actual meaning of the language, which is a bit confusing, most likely will be tested and interpreted by the courts in the coming year.
What to expect
Ultimately, we hope this encourages companies to provide monitoring services in cases where they’re useful, such as breaches that involve stolen SSNs, rather than in cases where it is a distraction, as with payment card breaches. There are generally accepted best practices for breach responses. Providing more robust support services is called for in higher risk situations, such as when there is a targeted theft of personal information. And lower level courtesy services are adequate for lower threat scenarios, in cases when information is lost or misplaced. Unfortunately the statute provides no real guidance as to what “appropriate services” are.
In addition, all companies should now be looking to implement and maintain reasonable security measures to protect data, whether it is theirs or a client business’s information. In addition, whether required or not, it seems that the mere mention of “appropriate identity theft prevention and mitigation services” would indicate that the State of California at least considers this a best practice.
How can I tell if my business “maintains data” and is now required to implement new security measures?
Previously the requirement to implement and maintain reasonable security measures was only incumbent upon those who owned or licensed personal information. However, the extension now applies to any organization that also maintains personal data. The definition of “maintains” is vague at best. Essentially the requirement means that if your business has personal information in its possession, whether it owns or licenses it or just holds it for another entity, it now needs to provide for its security as well. Seems common sense, but the statute fell short on that requirement in the past.
What steps should I take to protect my consumer information?
What the statute does not change is the fact that businesses that have sensitive consumer information should try and do their best to protect it. Training employees on the proper handling of information and using encryption are two easy ways to begin locking down your risks of a data breach. However, updating office systems, software and looking at your overall company’s data risk exposure are also good ways to minimize your risks.
Eduard Goodman is chief privacy officer for CyberScout.