CALIFORNIA ADDS TO IDENTITY THEFT PROTECTION LAW

Assembly Bill 1710 has strengthened California’s original security breach notification law, first passed in 2003. The Bill expands the applicability of the law to any company that merely maintains personal information of a California resident. The existing law had only been applicable to companies that own or license personal information. Companies that maintain such personal information are now required to comply with the obligation to “implement and maintain reasonable security procedures and practices. . . to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”

The Bill also states that if a breached company is require to provide identity theft protection and mitigation services, it does so for at least 12 months with no cost to the affected person. The way the Bill is written, it is somewhat unclear if every breach requires that 12 months of free identity theft protection be offered.

Another change prohibits the sale, advertisement for sale, or offer to sell a person’s social security number. The current law only prohibits the public display or other acts that might compromise the security of a person’s social security number.

By: Richard Sheinis, Esq.