Many states have embraced standards that businesses must follow to safeguard personal identifying information. Often these standards include ‘Data Security Breach Notification Requirements.’ In California, the California Attorney General’s Office implements these laws.
It’s important to note that in February new legislation was introduced to strengthen California’s data breach notification law that protects consumers. The bill was created to close a loophole in the current data breach law by requiring businesses to notify consumers when passport numbers, as well as biometric information, is compromised, which was not previously required.
California Businesses Should Take Note
As a business owner, it’s crucial that you take proactive measures to protect your customer’s private information. California Law requires individuals or businesses that own, license or maintain personal information about Californians to safeguard this information. It’s up to each company to implement reasonable security procedures and practices protecting their data from unauthorized access, use, destruction, modification or disclosure. Under these laws, a business is defined as any group that is chartered, organized, or holds an authorization certificate or license or under California law or the law of any other state, the federal government or of any other country.
There are certain businesses exempt from California’s breach notification law, including:
- Health care providers, contractors, or health care service plans regulated by the Confidentiality of Medical Information Act.
- Financial institutions which adhere to the California Financial Information Privacy Act.
- Businesses governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) security and privacy rules.
- Companies that are regulated by federal or state laws that provide greater protections to personal identifying information than what California’s breach notification laws require.
- Entities that obtain information under an agreement authorized by the vehicle code and that are subject to the confidentiality requirements of the vehicle code.
Under the breach notification law, personal identifying information includes a person’s first name or first initial and last name in conjunction with one or more of the following:
- A California identification card number or driver’s license number.
- A Social Security number
- Medical information about a person’s medical history, mental or physical condition, or diagnosis by a health care professional medical treatment.
- An account, debit or credit card number, in combination with any required access code, password or security code that would permit access to an individual’s financial information.
- Information or data collected by use or operation of an automated license plate recognition system. Personal identifying information may include a username or email address, along with a password or security question and answer that would permit access to an online account.
- Health insurance information.
It’s essential you know what a breach is. Under the current law, a security system breach is the unauthorized acquisition of computerized data that jeopardizes the confidentiality, security, or integrity of the personal identifying information kept by another person or business. Ascertaining whether a breach took place under the law depends on if the affected information was encrypted or unencrypted. To understand more about California’s data breach notification law, visit the following state resources.
California Attorney General’s Office
www.oag.ca.gov/home
Breach Reporting
The attorney general’s office offers the following guidance regarding data security breach reporting.
Business Resources
The attorney general’s office has made the following resources available to businesses.
Protecting Your Business
It’s critical to ensure the success of your business, and it’s the law that you do all you can to protect your customer’s private information. Here are some ways you can protect yourself and your customers from a data breach.
- Safeguard Data
- Keep Only the Information that You Need
- Destroy Before Disposal
- Manage Use of Portable Media
- Keep Security Software Up-To-Date
- Secure All Computers
- Stop Unencrypted Data Transmission
We also recommend carrying a cyber liability policy. Cyber liability insurance is designed to help the insured recoup losses related to both first- and third-party risks associated with supplying and collecting information on the internet to. Are you ready to discuss your business needs? Call 858-384-1506 today and chat with an insurance professional at Fusco & Orsini, who can help you create a customized cyber liability policy, tailored to your business. And remember to ask for assistance regarding our risk management services.
