Lawyer Article

Published in the September 15, 2004 issue of Southeast Tech Wire

As our important business and personal records have become digitized, and as those digital files have been connected through networks, we have realized that we should be acting to limit access to those records in ways that reflect the challenges of the new environment. We can no longer just lock a file cabinet or close a room to assure privacy and security.

Legislatures and regulatory bodies have been slow to impose generalized security obligations on the public. The legislative field has been marked with specialized rules for protecting specialized information. Gramm-Leach-Bliley mandated protections of personally-identifiable financial information, HIPAA required security for personal health care information and COPPA protected personal and contact information relating to children. Other information security legal obligations have been imposed on business as an enforcement of the company’s stated privacy policy after notable breaches occur.

However, the state of California, which has led the nation toward greater protections of electronic data, seems to be on the precipice of instituting a generalized information security obligation, affecting all industries that collect and hold customer data. When California jumps off of this cliff, any business with customers residing in California would be affected.

The end of August saw both houses of the California legislature passing the same personal data protection bill, which now awaits signature of Governor Schwarzenegger. AB 1950, which would be added to 1798.81.5 of the California Civil Code (the “Act”), requires any business that owns of licenses personal information about a California resident to implement and maintain “reasonable security procedures and practices” to protect personal information from unauthorized access and the consequences that flow from such access.

As the Legislative Counsel observes in official notes to the Act, existing California law already “regulates the handling of customer records and requires that a business take all reasonable steps to destroy” those records when they are no longer needed, and the existing law also requires that a holder of “computerized data that include personal information” to disclose any breach of security in its system. Therefore, the Act and its imposition of generalized information security requirement is a natural extension of these laws.

The Act requires that businesses that own or license personal information use reasonable measures appropriate to the nature of the information to protect it from “unauthorized access, destruction, use, modification or disclosure.” Clearly, without defining what reasonable or appropriate measures may be, the act will leave much interpretation to the business holding the information and to the interpretive powers of the courts.

The Act also obliges businesses disclosing information about a California resident pursuant to a contract with a nonaffiliated company to require by contract that the recipient of the information implement and maintain reasonable security practices and procedures. Businesses that are covered by stricter information security requirements, like those regulated under HIPAA or Gramm-Leach-Bliley, are exempt from compliance with the Act.