Reed Smith’s Global Regulatory Enforcement Law Blog features a post on a California bill recently signed into law which expands the scope of requirements for entities that own, license, and maintain personal data or information about a California resident. “Did California Just Impose a First-in-the-Nation Requirement for Breaching Companies To Offer Identity Theft Prevention and Mitigation Services?” written by Reed Smith attorneys Paul Bond, Lisa Kim, and Leslie Chen, focuses on the three sections of the California Civil Code affected by the amendment:
- An entity that “maintains” an individual’s data or information – such as a retailer – is required to employ appropriate anti-breach protection. Previously this was only required of companies who “owned” or “licensed” personal information;
- An entity identified as the source of a breach of social security numbers or driver’s license numbers must offer affected individuals appropriate anti-breach protection and mitigation services for a period of at least one year; and
- An entity is disallowed – except in particular circumstances – from selling, advertising, or offering for sale an individual’s social security number.
The amendments will go into effect on January 1, 2015, after which point entities that do not follow these regulations will be at risk for legal action brought by affected individuals.
To read the full post, click here.