What changes has California made to its data breach laws?
The change is in the definition of what constitutes personally identifiable information, or PII. A user name and password is now considered PII. In the other 45 states that have laws regulating the disclosure of PII, you have to disclose some combination of name, address, Social Security number, credit card number or bank account number. Now added to that list will be a user name and password.
Why does this matter?
A much wider web of companies are affected. If you do nothing else but let people have their preferences stored, you now are at risk of incurring significant costs and potential liability if you don’t comply with this new measure. Companies that didn’t think they had liability now do. Social media companies in most cases don’t collect credit cards or your address, but you have a login and password.
How does that impact businesses outside California?
Because most companies doing business online potentially have customers in all 50 states, the general advice if you have a breach is to revert to the strictest standard. Now that California has taken this new step and added log-in credentials to PII, most legal counsel are going to advise clients that they need to follow California notification guidelines.
Will other states follow suit?
That’s been pretty consistent so far. As one state has expanded these provisions, other states have followed. It’s not an unreasonable extension given the state of the password universe. Despite all the advice out there, people continually use the same password and user name combinations on multiple websites.
What steps should businesses take?
One of the first things you need to do is to take steps to better understand what you’re collecting, how you’re storing it and how you’re protecting it, and particularly understanding if you’re storing anything you don’t need to. The more data you’re storing, the greater risk you have of losing it.
Second, you have to understand how you’re protecting data and have an independent, third-party assessment of whether it’s adequate.
Third, you have to think about the potential to transfer that risk. There are definitely insurance products that will help with the costs of dealing with PII. People would be surprised at the scope of costs that can be covered.