California Governor Brown is preparing to sign into law a new data security breach notification bill (S.B. 46) that expands the coverage of California’s existing breach law to include breaches of individuals’ online user names and email addresses, when acquired in combination with passwords or a security question and answer that would permit access to their online accounts. The bill passed the California legislature unanimously, by a final vote of 38-0 in the Senate on September 4, 2013, following final passage of an amended bill by the Assembly (77-0) on September 3, 2013. Governor Brown is expected to sign the bill before the expiration of the signing period on October 13, 2013.
The new law amends the existing California data breach notification law, California Civil Code Section 1798.82, which has been in effect in California since July 1, 2003. Specifically, S.B. 46 amends Section 1798.82(h) to expand the definition of “personal information” for which breach notification is required. The new law adds to the definition: “A user name or email address, in combination with a password or security question and answer that would permit access to an online account.” Once the amendment is made to the statue, this new prong of the definition will appear as Cal. Civ. Code Section 1798.82(h)(2) and the existing definition will be redesignated as Section 1798.82(h)(1).
Notification for breaches of personal information involving user names and email accounts may or shall, depending on the circumstance, occur differently than with breaches involving other types of personal data. Specifically, the new legislation adds Section 1798.82(d)(4), which indicates how businesses “may comply” with the notification requirements of the statute in cases where no other personal information and no “login credentials of an email account” are breached. Where email login information is breached, new Section 1798.82(d)(5) specifically prohibits “providing the security breach notification to that email address.”
The new rules for notification of breaches of an individual’s user name or email address with accompanying password or security question and answer that permits access to an online account (defined, for purposes of this discussion, as “Online Account Data”) may be summarized as follows:
• Notification for Breaches of Online Account Data that Does Not Involve Login Credentials for an Email Account: In the case of breaches involving Online Account Data and “no other personal information,” businesses may comply with the notification obligations of the statute “by providing the security breach notification in electronic or other form that directs the person whose personal information has been breached promptly to change his or her password and security question or answer, as applicable, or to take other steps appropriate to protect the online account with the person or business and all other online accounts for which the person whose personal information has been breached uses the same user name or email address and password or security question or answer.”
• Notification for Breaches of Online Account Data Involving Login Credentials for an Email Account: In the case of a breaches involving Online Account Data that contains “login credentials of an email account furnished by the person or business,” the entity that furnished the login credentials, if breached, “shall not comply with this section by providing the security breach notification to that email address, but may, instead, comply with this section by providing notice by another method described in [the statute for breaches of other personal information] or by clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an Internet Protocol address or online location from which the person or business knows the resident customarily accesses the account.”
For additional information regarding S.B. 46, please see our full-length client advisory entitled California Expands Data Breach Notification Law to Include Breaches of User Names and Email Addresses for Online Accounts.
Conclusion
The amended California breach notification statute will become effective on January 1, 2014. Businesses collecting and storing data of consumers who are California residents where the data contains user names or email addresses, along with passwords and security answers for accessing online and email accounts, should become familiar with the new law. These businesses should assess their current data security procedures and breach incident response plans in order to ensure future compliance with the amended statute in the event of a security breach incident.
Additionally, the expansion of the California breach notification law to cover user names and email addresses may have a significant influence nationwide, aiding the movement to pass similar amendments to the existing breach laws in 45 other states, as well as proposed federal breach notification legislation in Congress. The U.S. House of Representatives Committee on Energy and Commerce, for example, is considering adding provisions to upcoming breach notification bills that would require notification of breaches of consumers’ online account information, including email addresses, with accompanying passwords that would permit access to their online accounts. California’s passage of S.B. 46 may provide both the impetus and model for renewed action in Congress to enact a similar federal law.