United States: New California Law Imposes General Duty On Businesses Regarding Security Of Sensitive Personal Information

The first non-sector-specific information security law in the country imposing a duty on businesses and non-profits to implement and maintain reasonable security procedures and practices to protect sensitive personal information will take effect on January 1, 2005. California A.B. 1950, which was signed by Governor Arnold Schwarzenegger this fall, requires entities that "own or license" sensitive personal information about a California resident to implement and maintain "reasonable security procedures and practices appropriate to the nature of the information" in order to protect such information from unauthorized access, destruction, use, modification, or disclosure. In addition, entities that disclose such personal information about a California resident to an unaffiliated third party pursuant to a contract must bind that third party by contract to implement reasonable security procedures and practices with regard to such personal information.

A.B. 1950, codified at Civil Code § 1798.81.5, is significant for several reasons. First, prior to California A.B. 1950, the information security laws for personal information, such as the Gramm-Leach-Bliley Act (GLB) and the Health Insurance Portability and Accountability Act (HIPAA), applied only to particular business sectors such as the financial services sector and the health care sector. Never before had a federal or state law been enacted that imposed a general duty on businesses to protect certain types of personal information. Second, the law applies to online and offline data, to nonprofits, and to data regarding any California resident, not just consumer or customer data. Third, it imposes a standard of care (albeit a very general one that provides little guidance on specific technical standards to be implemented in order to achieve compliance) that provides a basis for the .duty. element in a lawsuit based on a negligence theory. Consequently, the law could be used by plaintiffs’ lawyers to bolster claims for negligent security practices or negligent handling of data, or lawsuits under California Business & Professions Code § 17200 (although remedies under that statute are limited to injunctions, restitution, and, in some cases, attorneys. fees).

The law exempts entities subject to information security regulation under California or Federal health care privacy laws, California’s financial privacy law, and California’s DMV privacy law. As discussed below, lawyers from our firm negotiated to narrow the law in several significant respects.

As with many California laws that are triggered in large part due to a single, widely reported incident, A.B. 1950 was promoted as a response to an incident in which documents containing sensitive personal information about NBC employees were mistakenly used as props in a Los Angeles-based television production. The law’s stated purpose was to fill gaps in data security laws for businesses that are not subject to data security regulation.

Lawyers from our firm negotiated to narrow the definition of .personal information. in A.B. 1950. Under A.B. 1950, "Personal Information" is defined quite narrowly to cover only a person’s first and last name (or first initial and last name) in combination with one or more of the following sensitive data elements:

1. social security number;
2. drivers license number;
3. California Identification Card Number;
4. account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual.s financial accounts; or
5. information regarding medical history, or medical diagnosis or treatment by a health care professional.

Moreover, there are two exceptions to the definition of "personal information" under A.B. 1950. First, if both the name and the other data elements are either encrypted or redacted, then such information does not fall within the definition of "personal information". Like the California Security Breach Notification Law, California A.B. 1950 is designed to encourage the encryption of personal information.¹ However, unlike the California Security Breach Notification Law, California A.B. 1950 provides an alternative to encryption by permitting a business to redact personal information. Second, the definition of personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. Overall, the scope of A.B. 1950 is broader than that of the California Security Breach Notification Law, codified at Civil Code § 1798.29. It applies not only to stored, computerized data, but also to information that is not in computerized or electronic form, and to electronic information that is in transmission, and, in addition to the data elements covered by the California Security Breach Notification Law, includes data elements relating to medical history, diagnosis, or treatment. Finally, the scope of the law is not limited to customer personal information. It applies to any California resident’s covered personal information, including that of employees.

A.B 1950 applies to all .businesses. that .own or license. covered personal information. The statutory definition of a "business," located in the same Title of the Civil Code, § 1798.80, includes corporations, associations, or groups, however organized, and "whether or not organized to operate for a profit". Thus, the statute appears to reach nonprofits, to the extent that they own or license data regarding California residents. Thus, a nonprofit would have to implement reasonable security measures for the sensitive information covered by the bill, if it has such data. The new law also reaches data stored outside of California, if the data relate to a California resident.

Working on behalf of the ISP industry, our lawyers negotiated to narrow the scope of the bill to data "owned or licensed" by businesses. In the final version of the bill, the word "obtain" was replaced with "owns or licenses" in order to limit the scope of its security requirement to exclude intermediary service providers that store information on behalf of, or for the benefit of, another business. Instead, the statute requires that businesses that own or license personal information bind by contract third parties to whom they disclose the "personal information" regulated under the Act to maintain reasonable security practices and procedures. Thus, third-party ISPs or website hosts, for example, that store information on behalf of such businesses are not directly regulated by the new law.

However, the legislation is not entirely clear with regard to many other third-party service providers. First, in most contracts where personal information is exchanged between businesses, the information is licensed to the intermediary or third party. This would in all likelihood make the recipient a licensee of the data and, therefore, regulated by the Act. Even if the contract did not contain an express license grant to the use of personal information, an aggressive plaintiff.s lawyer may attempt to argue that the recipient has an implied license and, therefore, should be subject to the Act.

Furthermore, the preamble to the law states that the definition of "owns or license" is intended to include, but is not limited to, personal information that a "business retains as part of the business’ internal customer account or for the purpose of using that information in transactions with the person to whom the information relates" (emphasis added). An intermediary or third party would not clearly fall under the first part of the definition, as the information is not retained by the intermediary or third party for its internal customer account but instead is retained on behalf of the owner or licensor. However, an intermediary or third party that uses the information in transactions with a California resident likely would be covered. Moreover, plaintiffs could attempt to test the no limitation clause in the preamble as a means to extend liability in other contexts.

As discussed above, third-party service providers may not be directly regulated by the law. However, businesses that own or license personal information about California residents and who disclose that information pursuant to a contract with a non-affiliated third party must require that third party, by contract, to implement and maintain "reasonable security" measures appropriate to the nature of the information".

The sponsor of A.B. 1950 consciously chose an open-ended, flexible security requirement that can vary based on the circumstances and evolve over time as technology improves. While this approach makes sense as a policy matter, it provides companies with almost no guidance about what to do in order to comply, with the exception of redacting or encrypting information. As with the California Security Breach Notification Law, the appropriate type and level of encryption are left to the business to determine.

What constitutes "reasonable security procedures and Practices" is an art, not a science. Outside of HIPAA, where more precise technical guidance is provided, what constitutes "reasonable security procedures and practices" remains for the courts and regulatory bodies to interpret. This uncertainty risks providing fodder for the plaintiffs. bar and often will require businesses to hire outside consultants and lawyers to assist in determining what security measures are "appropriate" to the nature of the particular information regulated by the Act.

A.B. 1950 exempts companies regulated by the HIPAA privacy and security rules, the California Confidentiality of Medical Information Act, the California Financial Information Privacy Act, or that receive DMV information and are subject to the confidentiality provisions of the California Vehicle Code. These exemptions are phrased in status-based terms, suggesting that even parts of a business that are not regulated under these other security laws still will be exempt from A.B. 1950.

The Federal Trade Commission has been quite active in using its Section 5 authority to enforce deceptive representations regarding private sector security practices. However, so far there has been very little private litigation challenging the adequacy of private sector security practices. A.B. 1950 may accelerate the filing of litigation cases by defining, in general terms, a standard of care. In the event of a hacking incident, the California Security Breach Notification Law requires notification to individual Californians if the breach affects most of the data elements covered by A.B. 1950. This mandatory notice would inform affected residents of the breach and would identify a plaintiff class and thereby increase the risk of litigation.

Plaintiffs are most likely to bring negligence lawsuits seeking damages under the theory that A.B. 1950 imposes a duty of care with which the defendant failed to comply. Under California Business and Professions Code §§ 17200 et seq., as amended this November by Proposition 64, plaintiffs still can sue to obtain restitution, injunctions and, in some cases under the public benefit statute, attorneys’ fees for conduct that is "unlawful" under California law, including violations of A.B. 1950. However, as amended by Proposition 64, § 17200 now has standing requirements and no longer permits anyone - such as a disgruntled former employee - to sue to vindicate violations of California law unless they meet ordinary standing requirements and have lost money or property as a result of the violation. If plaintiffs have been injured by a security breach, however, either a negligence claim or a § 17200 claim would raise questions of fact and would not be easily dismissed. However, restitution available under § 17200 likely would not offer the prospect of a major recovery, making these claims less threatening in terms of the risk of a large damage award.

As with the California Security Breach Notification Law, A.B. 1950 has national implications for most companies’ data security practices. In many instances, businesses will not know which data relates to California residents and, moreover, data concerning California residents is not likely to be segregated from other data. Even if California data can be segregated, taking greater security measures for California residents’ data and lesser security measures for data concerning residents of other jurisdictions creates the risk of a negligence case against the company.

Our Electronic Commerce and Privacy team suggests considering the following steps in light of this new law:

• Audit all data systems containing sensitive personal information of California residents covered by the law, including data systems located outside of California.
• For systems that combine data for both residents of California and non-residents, consider whether you are able to determine which individual data files relate to California residents. Even if you can segregate covered data of California residents, consider the liability implications of providing greater security protection for California residents only.
• In conducting your audit and developing your written policies, remember that the definition of .personal information. in A.B. 1950 is not limited to a "customer’s" personal information, but includes personal information concerning employees and other non-customers.
• Consider redacting covered personal information, or, if not feasible (as may be the case for credit card data) for computerized data, encrypting this information in storage and transmission. These practices not only provide a safe harbor under the law, but are consistent with industry-standard practices in many instances, and with the spirit of both the California Security Breach Notification Law (Civil Code § 1798.29) and the California law regarding confidentiality of Social Security numbers (Civil Code § 1798.85). If you plan to rely on encryption, you also should confirm that encryption key management systems used are efficient, secure, and technologically up to date.
• Consider all of the places where you request and maintain the types of more sensitive personal information covered by the law, and determine whether this information is truly necessary to perform the task for which it is being collected and whether it can be deleted.

• If you have not already done so, establish written security practices and procedures, working closely with your information technology specialists and users of any relevant personal data repositories (such as marketing, customer service, and finance). Your written policy should address procedures to limit, detect, and respond to attacks, intrusions, or other system failures for covered information as well as the storage, destruction, and handling of information. The final version of the written plan should be reviewed by counsel with an eye toward ensuring that it complies with existing laws and is not internally inconsistent.
• Regularly monitor, test, and update your information security program and written plan.
• Conduct, on a regular basis, a risk assessment to verify that the plan is adequate for the data and risks in question. Prepare a written report of your findings and evaluate and adjust the program in light of relevant circumstances, including changes in your business arrangements or operations, or the results of testing and monitoring of safeguards.
• The success of your safeguards program depends, in large part, on the employees charged with implementation and monitoring of the program. Thus, it is important to train managers and employees who have access to data or documents that contain SSNs, credit card numbers, and any other regulated data elements in combination with the last names and first name or first initial of California residents. In addition, consider:
• Verifying references prior to hiring employees who will have access to sensitive customer information;
• Requiring employees to sign an agreement to follow your organization’s confidentiality and security standards for handling customer information;
• Requiring encryption of all relevant data files if they are ever stored on laptop computers that leave your offices;
• Instructing and regularly reminding all employees of your security policy;
• Limiting access to personal information to employees who have a business reason for having such access. For example, provide access to customer information files to employees charged with responding to customer inquiries, but only to the extent necessary to perform their jobs; and
• Imposing disciplinary measures for any breaches.

• Review your contracts with third parties with whom you disclose this information and, if the contracts do not bind those third parties to meet the requirements of A.B. 1950, negotiate amendments prior to January 1. If the third party refuses to negotiate an amendment, you may have to consider options including termination of the contract or placing the provider on notice of its obligation to comply with the laws.
• In reviewing these third-party contracts, you also should ensure that you have the ability to audit the third party’s security practices and that you will be indemnified by the third party in the event of a breach.
• If you are the owner or licensor of the information, it is important for you to impose contractually on the third party more specific standards that comply with your practices because, if you simply leave it to the third party to determine what is "appropriate" or "reasonable," you may create risk of liability against your company for any gaps between what you deem "appropriate" or "reasonable" for your information and what a third party might deem "appropriate" or "reasonable" for your information.
• If you have not done so already, take this opportunity to ensure that your contracts contain the appropriate language to address the notification requirements under California’s Security Breach Notification Law (for instance, notification requirements in the event of a breach of security).
• Prior to engaging third parties who will receive your company information, consider conducting an audit of their security practices and prepare a written risk assessment. As security standards evolve, it may not be sufficient to simply bind a third party contractually to implement reasonable security procedures.

• Designate one or more senior management employees to coordinate your information security program.
• Ensure that your company’s board of directors or managers or other governing body has been advised of its responsibilities regarding information security. These responsibilities do not end with Sarbanes-Oxley compliance. Rather, they just begin. In public companies, a committee of the board, such as the audit committee or a newly formed committee such as an information technology or information security committee, should oversee your company’s information security program. Our firm provides educational programs designed to educate board members regarding their information security responsibilities.

This article is intended to provide information on recent legal developments. It should not be construed as legal advice or legal opinion on specific facts. Pursuant to applicable Rules of Professional Conduct, it may constitute advertising.