California has a reputation as one of the most progressive states in the country, and that certainly applies to California data breach laws. It was no surprise when the state recently enacted a series of new, tougher data breach and user privacy laws.
There are two reasons that IT contractors should pay attention to these new California laws:
- If a breach occurs at a client's company, you'll need to make sure they follow these laws as they apply to users located in California.
- Because other states follow California's lead, these particular laws may be a sign of future changes to IT consultant liability nationwide.
What California's Data Breach Laws Mean for IT Contractors
Advisen has the details of CA's new laws, including one that specifically increases an IT contractor's legal responsibilities to their clients. Here are six new facets to California's data security laws and what you'll need to know to be compliant:
- IT contractors are required to know and follow data breach laws. CA's new data breach laws explicitly state that any third-party contractor working with a company's data is required to uphold relevant data security laws. It was always assumed that this was the case, but now that the CA legislature has put it in writing, IT contractors could see more lawsuits over mishandling data security issues.
- If you offer credit monitoring, there's a 12-month minimum. CA law doesn't actually require breached companies to offer free credit monitoring. But the law states that if the company does offer any free credit monitoring service, it must offer at least 12 months.
- Know that selling SSNs is prohibited. CA law now makes it clear that a business can't sell customer data that contains SSNs. A company might do this accidentally if they are selling large amounts of customer data to a marketing or big-data analytics company. Before this data is sold, you'll have to "scrub" it, removing any social security numbers.
- Expect extra data security requirements for e-learning companies. Businesses that sell learning software or online K-12 educational services can't use student data for targeted marketing purposes, including building a marketing profile of the K-12 student. In addition, educators, schools, and districts are allowed to request that any student data be deleted.
- Minors now have a limited "right to be forgotten." The Privacy Rights for California Minors in the Digital World states that users under 18 have the right to delete any content that they have posted on a business's website. This limited "right to be forgotten" only applies to content the minor has posted and not to content that friends or other users have posted on the minor's profile or page.
- Websites that market to minors can't advertise tobacco, alcohol, etc. If your website markets to under-18 users (even if they are only part of your user base), it can't have advertising for products that would be illegal for minors to purchase.
New State Data Breach Laws on the Horizon
It's clear which way data security is trending: Insurance Journal reports that New York's Attorney General has proposed stronger data security laws, and President Obama has been pushing for increased national standards to prevent data breaches. State and federal authorities are all looking to tighten data security.
As more states adopt stricter data security laws, make sure to check TechInsurance's guide to state data breach laws. We keep this resource updated with the latest changes to state laws. You can use our guide to make sure you're current on local laws or pass on this information to your clients to help them build a data breach response plan.
Keep in mind that as part of your IT contractor liability, you're responsible for knowing and following the laws relevant to client data security. Failure to do so could lead to a professional liability lawsuit. Make sure that you know the laws, and keep your Professional Liability Insurance policy active.