Not a Lexis+ subscriber? Try it out for free.
LexisNexis® CLE On-Demand features premium content from partners like American Law Institute Continuing Legal Education and Pozner & Dodd. Choose from a broad listing of topics suited for law firms, corporate legal departments, and government entities. Individual courses and subscriptions available.
Recent statutory amendments passed in California and Nevada expanding the definition of “personal information” will significantly impact the security measures businesses operating in these states must implement when handling personal information of customers residing there.
California, a leader in privacy and data security regulation, recently amended its privacy statute. The statute obligates businesses to protect state residents’ “personal information” by implementing and maintaining reasonable security procedures. The statute applies to two broad categories of businesses those—which own, license, or maintain personal information about California residents, and businesses which, pursuant to contract, disclose personal information about California residents to unaffiliated third parties. When disclosing personal information, businesses are also required to “pay (the protection) forward” by including, in the agreements with the third parties to whom information is disclosed, contractual provisions mandating implementation of reasonable security measures. Businesses that fall under certain other state or federal laws providing greater protection to customer personal information are exempt from the provisions of this section (for example, the statute does not apply to entities already covered by HIPAA and the California Financial Information Privacy Act).
In its current form, the statute defines “personal information” as a person’s name in combination with his or her Social Security number, driver’s license or California identification card, credit or debit card number and password, or medical information. The amendment has been designated as “non-urgency” legislation and will become effective January 1, 2016, pursuant to California law. When the amendments take effect, “personal information” will also include a person’s name coupled with his or her health insurance information, and a username or e-mail address in combination with a password or security question and answer that would permit access to an online account. “Health insurance information” will mean policy or subscriber identification numbers, “any unique identifier used by a health insurer to identify an individual, or any information in an individual’s application and claims history, including any appeals records.”
Nevada also recently amended its analogous personal information security act, which applies to the same two categories of business as the California statute and requires implementation of similar reasonable security procedures. Effective July 1, 2015, the “personal information” definition under the statute includes driver authorization card numbers, medical and health insurance identification numbers, and user names with unique identifiers or e-mail addresses coupled with passwords, access codes, or security questions and answers that would permit access to online accounts.
While most businesses in California and Nevada have already implemented security measures that comply with the existing laws, Nevada businesses will need to immediately tailor and expand such measures to account for the newly defined personal information. California businesses will need to do so by January 1, 2016. These amendments serve as a reminder to businesses collecting personal information of the importance of having appropriate security measures in place and adequately managing vendors or other contract partners. In addition to an appropriate diligence process, it is advisable to include appropriate protective provisions in contracts with third parties, as well as to require monitoring and/or audit rights with respect to such third parties the protective measures.
Members of Ballard Spahr’s Privacy and Data Security Group regularly advise businesses on compliance with data security and privacy statutes, on devising and implementing information security plans and on assessing and negotiating agreements with third party vendors and partners.
Copyright © 2015 by Ballard Spahr LLP. www.ballardspahr.com (No claim to original U.S. government material.)
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.
This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.
For more information about LexisNexis products and solutions connect with us through our corporate site.