Recent statutory amendments passed in California and Nevada expanding the definition of “personal information” will significantly impact the security measures businesses operating in these states must implement when handling personal information of customers residing there.
California, a leader in privacy and data security regulation, recently amended its privacy statute. The statute obligates businesses to protect state residents’ “personal information” by implementing and maintaining reasonable security procedures. The statute applies to two broad categories of businesses those—which own, license, or maintain personal information about California residents, and businesses which, pursuant to contract, disclose personal information about California residents to unaffiliated third parties. When disclosing personal information, businesses are also required to “pay (the protection) forward” by including, in the agreements with the third parties to whom information is disclosed, contractual provisions mandating implementation of reasonable security measures. Businesses that fall under certain other state or federal laws providing greater protection to customer personal information are exempt from the provisions of this section (for example, the statute does not apply to entities already covered by HIPAA and the California Financial Information Privacy Act).
In its current form, the statute defines “personal information” as a person’s name in combination with his or her Social Security number, driver’s license or California identification card, credit or debit card number and password, or medical information. The amendment has been designated as “non-urgency” legislation and will become effective January 1, 2016, pursuant to California law. When the amendments take effect, “personal information” will also include a person’s name coupled with his or her health insurance information, and a username or e-mail address in combination with a password or security question and answer that would permit access to an online account. “Health insurance information” will mean policy or subscriber identification numbers, “any unique identifier used by a health insurer to identify an individual, or any information in an individual’s application and claims history, including any appeals records.”
Nevada also recently amended its analogous personal information security act, which applies to the same two categories of business as the California statute and requires implementation of similar reasonable security procedures. Effective July 1, 2015, the “personal information” definition under the statute includes driver authorization card numbers, medical and health insurance identification numbers, and user names with unique identifiers or e-mail addresses coupled with passwords, access codes, or security questions and answers that would permit access to online accounts.
While most businesses in California and Nevada have already implemented security measures that comply with the existing laws, Nevada businesses will need to immediately tailor and expand such measures to account for the newly defined personal information. California businesses will need to do so by January 1, 2016. These amendments serve as a reminder to businesses collecting personal information of the importance of having appropriate security measures in place and adequately managing vendors or other contract partners. In addition to an appropriate diligence process, it is advisable to include appropriate protective provisions in contracts with third parties, as well as to require monitoring and/or audit rights with respect to such third parties the protective measures.
