California Modifies Data Breach Law
On September 30, 2014, California joined the trend and enacted amendments to its data security laws. The new law expands its scope to third-party service providers and businesses that do not just “own or license personal information,” but merely “maintain” that data.
The new law expands all provisions of the statute “to businesses that own, license, or maintain personal information.” Third party service providers (cloud storage, SaaS, PaaS, etc.) all appear to be within the scope of the new law’s affirmative requirements.
Next, California’s law requires businesses that experience data breaches that voluntarily offer to provide affected customers credit monitoring or other identity theft mitigation services, do so for “not less than 12 months” and provide “all information necessary” to accept the offer to the affected class. Lastly, California limits the requirement to offer 12 month credit monitoring “if the person or business providing the notification was the source of the breach,” and if the breach exposed … personal information as defined by the statute. Given the statute’s broad definition of “personal information,” it seems that most data breaches will result in the release of covered information. - See more here.
Please contact a Fidens specialist for complimentary consulation regarding cyber & privacy liability.