California Strengthens Consumer Privacy Laws in Response to Massive Data Breaches

October 20, 2014

Data security is a growing concern among consumers who have been victims of recent data breaches involving retailers and banks. Although there is no federal law requiring security of customer data, state governments have implemented laws dictating how companies manage customer data and respond to data breaches, with many requiring prompt notification to affected customers after a breach. Nearly all states currently have “data breach notification” laws.

California, which had one of the first data breach notification laws, recently approved upgrades to existing laws that will ”strengthen privacy and consumer protections,” according to Governor Jerry Brown’s office. These new requirements are a step in the right direction after recent large-scale data breaches experienced by Target, Home Depot, Albertson’s, and other nationwide retailers. Additionally, California has enacted a new set of data protection laws to regulate and protect student information that will provide safeguards for data collected through school websites, and will prohibit the information from being shared or sold.

Data Breach Notification Law Provides New Guidelines for Companies Responding to Data Breaches

California’s latest data breach notification law, Assembly Bill 1710, made several additions to state regulations that cover customer information and data security. California’s statute already required a person or business subject to a data breach to notify data owners “immediately following discovery” of the breach. It also required the notification to be in plain language, identify the information believed to be subject of the breach, the date(s) and a description of the breach incident, as well as contact information for credit reporting agencies.

The recently passed AB 1710 amends the California statute to require companies impacted by a data breach that decide to offer free credit monitoring to offer the services for one full year when a Social Security of driver’s license number is breached. Many companies affected by data breaches already do this. The changes also prohibit the sale of customers’ Social Security numbers unless it is necessary as part of a larger business transaction, such as when a business buys another and takes that company’s customer records. However, the law strictly prohibits the sale of Social Security numbers purely for marketing purposes.

Student Data Receives Increased Protection

Governor Brown also recently signed into law three bills which protect student data. Two of these, Senate Bill 1177 and AB 1584, regulate companies that contract with schools. SB 1177 applies to K-12 schools, while AB 1584 covers all local educational agencies, including community colleges. The laws require vendors to ensure reasonable security measures are in place to protect student information, prohibit tracking students for advertising purposes, and ban collecting or selling their data. In addition, AB 1584 mandates companies have notification procedures in place to inform parents and students in the event of a data breach. AB 1584 will be effective on January 1, 2015, and SB 1177 will take effect January 1, 2016.

AB 1442 will limit what social media information school districts may collect on students. If school districts collect this information, they must notify parents and provide an opportunity for public comments on the policy. Any third party that gathers social media data for the school district is prohibited from selling it, and the districts must destroy the information within a year after a student leaves the school or turns 18.

Gibbs Law Group Advocates for Consumer Privacy

Gibbs Law Group has extensive experience handling consumer privacy and data breach violations. Founding Partner Daniel Girard currently sits on the Executive Committee for the consumer litigation arising from the 2013 Target data breach. Gibbs Law Group also represents consumers impacted by data breaches involving Home Depot, Health Net, and is court-appointed lead counsel for consumers who had their personal information stolen in Adobe’s 2013 data breach. In February 2015, Gibbs Law Group filed a class action lawsuit against Anthem and its affiliates on behalf of all customers and employees affected by the Anthem data breach.

Has Your Data Been Subject To A Breach?

Gibbs Law Group’ privacy lawyers would like to speak to anyone whose personal data has been compromised as the result of a data breach. If you have been the victim of a data breach, call (866) 981-4800 or fill out the form to your right to speak with one of our attorneys.