Getting More Personal: California Amends Data Security Law

California’s data security statute will get a little more “personal” as of January 1, thanks to a recently-passed amendment revising the definition of covered personal information.

On July 14 California expanded the definition of “personal information” under its data security statute with the enactment of A.B. 1541 effective January, 2016. Specifically, the definition of “personal information” will then include (a) a username or e-mail address combined with a password or security question and answer for access to an online account; and (b) health insurance information.  Health insurance information is defined to include (1) an individual's insurance policy number or subscriber identification number; (2) any unique identifier used by a health insurer to identify the individual; or (3) any information in an individual's application and claims history, including any appeals records.

The data security statute essentially requires businesses that own, license, or maintain residents’ “personal information” to establish reasonable security procedures.  The law also requires businesses that share personal information with other parties, such as vendors, to ensure by contract that the vendor establishes reasonable security procedures.

This amendment, which takes effect on January 1, 2016, essentially brings the definition of personal information in the data security statute into harmony with California’s data breach notification law.  According to one legislative committee, the addition of usernames and passwords to the definition of personal information was in part due to the fact that residents “use the same password or username or answer to a security question for some or all of their online accounts.”  Consequently, a “breach of one online account can have a cascading effect upon the user’s other accounts.”  Neither statute includes a definition of an online account.

Entities that maintain personal information of customers and are subject to California law will  need to review and revise their data security and data breach notification policies and procedures to ensure compliance with the amendment before the changes go into effect next January.

Please refer to Davis Wright Tremaine’s data breach notification summaries for information regarding breach notification requirements that your business may be subject to.