California’s Data Security law requires businesses to safeguard customers’ personal information. On January 1, 2016, a new amendment to the statute will go into effect.

The most significant change to the law is a modification of the definition of what constitutes protected personal information as it pertains tobusinesses in the state.

Personal Information

Personal information is an individual’s name with any of the following, when the data is available:

  • Social Security number;
  • Driver’s license number or California idntification card number;
  • Account number, in combination with any required security code that would permit access to an individual’s financial account; or
  • Medical information.

The amendments add another category of protected information, namely usernames and email addresses combined with a password or security question that allow access to an online account. Health insurance information is also protected.

Health insurance information includes:

  • A person’s insurance policy number or subscriber identification number;
  • Any unique identifying information utilized by a health insurer to identify the person; and
  • Any information in an individual’s application and claims history including appeals records.

Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Covered Businesses

The amendments apply to businesses that own, license, or maintain personal information about residents of California. This includes information that a business retains as part of its internal customer account, or for the purpose of using the information in transactions with the person to whom the information relates. It also includes personal information that a business maintains but does not own or license.  Essentially, the law requires businesses to provide reasonable security for the protection of customers’ personal information from unauthorized access or disclosure.

Contracts with Nonaffiliated Third Parties

If a business discloses personal information about an individual with a third party vendor, then it must require by contract that the third party implement and maintain reasonable security procedures and practices to protect their customers’ personal information.


The personal information protection law does not apply to the following:

  • Health care providers;
  • Financial institutions;
  • Covered entities governed by the medical privacy and security rules issued by the federal Department of Health and Human Services;
  • Entities that obtain information under an agreement pursuant to the Vehicle Code; and
  • Businesses that are regulated by state or federal law providing greater protection to personal information than that provided by the Data Security law.

If you have questions about how the amendments will affect your business, an experienced Morgan Hill business law attorney can help you alter your policies and practices to align them with the new law and ensure that none of its provisions are violated. Please contact us or call 408-779-4700 for a free 20 minute consultation with an attorney at The Law Offices of Steven E. Springer, in Morgan Hill, San Jose or Fremont.


Posted in Business Law

Recent Posts