Even as Congress continues to debate passing a unified federal data breach notification law, California continues to be at the forefront of data privacy regulation. Here, we briefly discuss two California privacy bills to watch during the latter half of 2015.
1. Data Breach Response - Identity Theft Insurance
California Bill AB 259 seeks to amend Section 1798.29 of the Civil Code (relating to information privacy). The bill applies specifically to "agencies" and would require that agencies that are the source of a data breach involving "a person's social security number, driver's license number, or California identification card number" to "offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed personal information[.]"
As used in the Information Practices Act of 1977 to which this bill would apply, "agency" is defined as:
This is an interesting proposal by Assembly Member Dababneh because the issue of whether identity theft monitoring services are actually helpful in data breach events has received mixed reviews. At the same time, with the use of "if any" (emphasized above), the bill does not appear to actually require that agencies offer "identity theft prevention and mitigation services", merely that if they are offered, that they be offered for at least 12 months and at no cost to an affected individual.
California Bill AB 83 introduced by Assembly Member Gatto seeks to amend Section 1798.81.5 of the Civil Code (relating to personal data). The bill seeks to amend the existing statute to expand the list of personal information that businesses must protect to expressly include "geophysical location information" defined to mean "any personally identifiable information describing or concerning the duration of a transportation service provided to an individual, the location and route of a transportation service provided to an individual, or, if applicable, the monetary exchange associated with a transportation service provided to an individual." The bill also seeks to amend the "reasonable security procedures and practices" that companies must take with the proposed final revision to read:
(f) For purposes of this section, "reasonable security procedures and practices" as they pertain to the storage and transmission of personal information shall require, at a minimum, the security of that information to the degree that any reasonably prudent business would provide. All of the following shall also apply:The definition for geophysical location information appears to be directly targeted to the ride sharing services that are growing in popularity in the new 'sharing economy.' But, it may be narrow given the amount of other devices and companies that are collecting geophysical location information. For example, ArsTechnica recently reported on a case out of California where an employee alleges that she was fired for deleting an app that tracked her location information 24 hours a day. (But see also California Bill SB 576, which "would require the operator of a mobile application to provide clear and conspicuous notice that fully informs consumers when, how, and why their geolocation information, as defined, will be collected, used, and shared upon installation of the application. The bill would require the operator of a mobile application to obtain consent before collecting or using geolocation information and to obtain separate consent before disclosing that information.")
For those working in the healthcare space, the new language in Bill AB 83 for "reasonable security procedures and practices" should be very reminiscent of HIPAA requirements and particular the the Risk Analysis process. The new language is also similar to the requirements that have been set out by the Federal Trade Commission through its regulation by litigation (or enforcement) process. This bill would, in effect, expand these requirements to all industries operating in California. While businesses may not be pleased about this level of detail, at the same time, for those businesses that are not sure about their obligations, Bill AB 83 would clarify the requirements (and will likely increase litigation).
Posted by Tatiana Melnik on June 8, 2015