Blog
California Expands Breach Notice Requirement to Cover User Names and Passwords
Blog
October 2, 2013
California Governor Jerry Brown recently signed into law S.B. 46, which amends Sections 1798.29 and 1798.82 of the Civil Code to require businesses and state agencies to notify consumers if their login credentials are compromised by a data breach. This new requirement will be effective as of January 1, 2014. The existing laws require any agency, and any person or business conducting business in California, that owns or licenses computerized data that includes personal information to notify any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The existing law defined "personal information" to include an individual's first name and last name, or first initial and last name, in combination with one or more designated data elements relating to, among other things, social security numbers, driver's license numbers, financial accounts, and medical information. The new law expands the definition of personal information to include user name or email address, in combination with a password or security question and answer that would permit access to an online account. Although for breaches of other compromised information under the law notice must be made in writing, notice regarding a breach that includes only the username and password to an online account (and no other personal information), can be made electronically. It should direct the person whose personal information has been breached promptly to change his or her password and security question or answer, as applicable, or to take other steps appropriate to protect the online account with the business or agency and all other online accounts for which the person whose personal information has been breached uses the same user name or email address and password or security question or answer. Additionally, if the breach involves login credentials for an email account furnished by the business or agency, the breach notice cannot be provided to that email address, but can be provided by written notice to the person or by clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an Internet Protocol address or online location from which the business or agency knows the resident customarily accesses the account.
Tip: This is the first breach law to specifically address a rising type of breach – when the username/password combination have been compromised. Companies that discover such an incident, and who have impacted residents in California, will have a statutory obligation to provide notice starting January 1, 2014.
This tip has been created for information and planning purposes. They are not intended to be, nor should they be substituted for, legal advice, which turns on specific facts.
This entry has been created for information and planning purposes. It is not intended to be, nor should it be substituted for, legal advice, which turns on specific facts.