Late Friday, Governor Jerry Brown of California signed into law the already infamous AB 370 as well as significant amendments to California’s existing breach notification laws via SB 46 and AB 1149. These laws break new ground in the privacy legal landscape – and it will be interesting to see if other states follow suit, as they did with California’s original breach notification law.
(5) Disclose how the operator responds to Web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services, if the operator engages in that collection.
(6) Disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.
SB 46 and AB 1149 amend California’s existing breach notification laws, California Civil Code sections 1798.82 (applicable to persons and businesses) and 1798.29 (applicable to agencies), respectively, to add to the list of data elements that constitute “personal information” that may trigger notification requirements in the event of a security breach “[a] user name or email address, in combination with a password or security question and answer that would permit access to an online account.”
The new laws provide that, in the event of a breach involving such information for an online account and no other personal information, the person or business may comply by providing the security breach notification in electronic or other form that directs the person whose personal information has been breached promptly to change his or her password and security question or answer, as applicable, or to take other steps appropriate to protect the online account with the person or business and all other online accounts for which the person whose personal information has been breached uses the same user name or email address and password or security question or answer.
The law is also explicit that, in the event of a breach involving such information for login credentials of an email account furnished by the person or business, the person or business shall not comply by providing the security breach notification to that email address, but may, instead, comply with the law by providing notice by another method described in the law or by clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an Internet Protocol address or online location from which the person or business knows the resident customarily accesses the account.
Takeaway: Organizations experiencing a security breach involving a California resident’s user name or email address, in combination with a password or security question and answer that would permit access to an online account, should evaluate the changes imposed by SB 46 and AB 1149 to determine what is required of them with respect to notices.