California Expands Its Security Breach Notification Law But Rejects Merchant Liability Standard.On October 13, 2007, Governor Schwarzenegger vetoed Assembly Bill 779, which would have regulated the handling of payment-related data and imposed greater liability on merchants for data security breaches.1 The following day, Governor Schwarzenegger signed Assembly Bill 1289, which expands California's data breach notification law to cover medical information and health insurance information. This article summarizes these new developments. I. Governor Schwarzenegger's Veto Of AB 779 As explained in our September 27 update, AB 779 would have placed additional burdens on any person, business, or agency that (a) sells goods or services to any resident of California; (b) accepts as payment a credit card, debit card debit card, card that allows the cost of goods or services that are purchased to be deducted directly from the purchaser's checking account. They can also be used at automated teller machines for withdrawing cash from the user's checking account. , or other payment device; and (c) is not already subject to regulatory oversight under the Gramm-Leach-Bliley Act's rules about disclosure of nonpublic personal information.2 These obligations would have included enhanced data security standards, as well as liability for the breach notification costs of a data "owner or licensee" that is required to give notice under California's existing data breach notification law. In vetoing AB 779, Governor Schwarzenegger acknowledged the need to protect consumers' financial information. However, he described AB 779 as an attempt "to legislate To enact laws or pass resolutions by the lawmaking process, in contrast to law that is derived from principles espoused by courts in decisions. in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers."3 He expressed concern that AB 779 "creates the potential for California law California Law consists of 29 codes, covering various subject areas, the State Constitution and Statutes. See also
II. Expansion Of Data Breach Law To Medical And Health Insurance Information While vetoing AB 779, Governor Schwarzenegger has expanded California's breach notification law by signing AB 1298. AB 1298 will add "health information" and "medical insurance information" to the categories of "personal information" covered by California's breach notification law. California's data breach notification law currently defines "personal information" as an individual's first name or first initial and last name in combination with any of the following data elements, when either the name or the data element is not encrypted en·crypt tr.v. en·crypt·ed, en·crypt·ing, en·crypts 1. To put into code or cipher. 2. Computer Science : Social Security number; Driver's license Noun 1. driver's license - a license authorizing the bearer to drive a motor vehicle driver's licence, driving licence, driving license license, permit, licence - a legal document giving official permission to do something number or California Identification Card number; or Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to the individual's financial account.4 AB 1298 expands this definition by adding medical information and health insurance information to the list of covered data elements: "Medical Information" is defined as "any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional."5 "Health Insurance Information" is defined as "an individual's health insurance policy number or subscriber information number, any unique identifier With reference to a given (possibly implicit) set of objects, a unique identifier is any identifier which is guaranteed to be unique among all identifiers used for those objects and for a specific purpose. used by a health insurer to identify the individual, or any information in an individual's application and claims history, including any appeals records."6 These provisions are not be limited to health care providers, but may affect any employer or other entity with computerized employee benefits or other health data. III. Other Effects Of AB 1298 In addition to its effect on California's breach notification law, AB 1298 expands California's Confidentiality of Medical Information Act to create a new category of entity subject to its limitations on the use and disclosure of medical information. More specifically, AB 1298 amends AMENDS. A satisfaction, given by a wrong doer to the party injured for a wrong committed. 1 Lilly's Reg. 81. 2. By statute 24 Geo. II. c. 44, in England, and by similar statutes in some of the United States, justices of the peace, upon being notified of an the California Civil Code to provide that any business maintaining medical information for use by individuals or health care providers in managing that information or receiving or providing medical diagnoses or treatment is subject to the general requirements imposed on "providers of health care" by the Confidentiality of Medical Information Act.7 Among other things, this amendment subjects such businesses to the civil and criminal penalties prescribed by the Confidentiality of Medical Information Act for improper uses and disclosures of medical information.8 AB 1298 also provides that, regardless of the existence of a security freeze Security Freeze A "Security Freeze" is the temporary inactivity a consumer can put on their credit report. This is done by making a request by certified mail to a consumer reporting agency. , a consumer reporting agency may disclose public record information lawfully obtained from an open public record to the extent otherwise permitted by law.9 IV. Preparing For AB 1298 If your company maintains personal information about California residents, you will want to consider taking the following steps before AB 1298 takes effect on January 1, 2008: Identify what types of computerized Medical Information or Health Insurance Information your company maintains, and consider the business reasons for collecting and maintaining this data. Limiting the collection and retention of protected data helps to reduce the risk and/or magnitude of a potential security breach. Ensure that Medical Information and Health Insurance Information are protected by the same data security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security applied to other personal information covered by the breach notification laws (such as Social Security numbers and credit card numbers). Consider encryption The reversible transformation of data from the original (the plaintext) to a difficult-to-interpret format (the ciphertext) as a mechanism for protecting its confidentiality, integrity and sometimes its authenticity. Encryption uses an encryption algorithm and one or more encryption keys. of Medical Information, Health Insurance Information, and other personal information covered by the breach notification laws. California's breach notification laws and the majority of other state breach notification laws provide an exemption or "safe harbor Safe Harbor 1. A legal provision to reduce or eliminate liability as long as good faith is demonstrated. 2. A form of shark repellent implemented by a target company acquiring a business that is so poorly regulated that the target itself is less attractive. " for encrypted data. Train your human resources The fancy word for "people." The human resources department within an organization, years ago known as the "personnel department," manages the administrative aspects of the employees. personnel, IT personnel, and managers that Medical Information and Health Insurance Information must be handled in the same manner as Social Security numbers and other personal information covered by the breach notification laws. Update your company's breach response plan to explain that Medical Information and Health Insurance Information are now covered information. Footnotes 1. We reported on AB 779 and AB 1298 in our September 27, 2007 update, "Pending Changes to California's Data Breach Law: New Burdens for Retailers?" 2. See AB 779, Section 1724.4(c) ("This section shall not apply to any person or business subject to Sections 6801 to 6809, inclusive, of Title 15 of the United States Code Title 15 of the United States Code outlines the role of the commerce and trade in the United States Code.
Independent government commission charged by the legislature with setting and enforcing standards for specific industries in the private sector. The concept was invented by the U.S. with respect to those sections."). The cited provisions of the United States Code Noun 1. United States Code - a consolidation and codification by subject matter of the general and permanent laws of the United States; is prepared and published by a unit of the United States House of Representatives U. S. are found in the Gramm-Leach-Bliley Act The Gramm-Leach-Bliley Act, also known as the Gramm-Leach-Bliley Financial Services Modernization Act, Pub. L. No. 106-102, 113 Stat. 1338 (November 12, 1999), is an Act of the United States Congress which repealed the Glass-Steagall Act, opening up competition , and regulate the disclosure of nonpublic personal information by financial institutions. 3. The Governor's veto message is available at http://gov.ca.gov/pdf/press/2007bills/AB%20779%20Veto%20Message.pdf. 4. See California Civil Code Section 1798.82(e). 5. See AB 1298, amendments to Sections 1798.82(e)(4) and 1798.29(e)(4). 6. See AB 1298, amendments to Sections 1798.82(e)(5) and 1798.29(e)(5). 7. AB 1298, amendments to California Civil Code Section 56.06. 8. AB 1298, amendments to California Civil Code Section 56.06(c). 9. AB 1298, Cal. Civ. Code 1785.11.2(n). Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. [c] Morrison & Foerster LLP LLP - Lower Layer Protocol . All rights reserved Ms Christine Lyon Morrison & Foerster LLP 425 Market Street San Francisco San Francisco (săn frănsĭs`kō), city (1990 pop. 723,959), coextensive with San Francisco co., W Calif., on the tip of a peninsula between the Pacific Ocean and San Francisco Bay, which are connected by the strait known as the Golden California CA 94105-2482 UNITED STATES United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. Tel: 4152687000 Fax: 4152687522 E-mail: info@mofo.com URL URL in full Uniform Resource Locator Address of a resource on the Internet. The resource can be any type of file stored on a server, such as a Web page, a text file, a graphics file, or an application program. : www.mofo.com Click Here for related articles (c) Mondaq Ltd, 2007 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion