Required security procedures under AB 1950. AB 1950 does not set forth specific security procedures that businesses must follow to ensure compliance. Rather, the new law requires businesses to "implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure."

Notably, however, AB 1950 excludes from its definition of "personal information" any information that is encrypted or redacted. Therefore, a business that encrypts all personal information stored on its computers will only need to worry about adequately protecting non-computer based information (e.g., paper reports containing personal information, customer receipts, etc.).

In addition to implementing its own security procedures, if the business discloses personal information about a California resident to a third party, then the business must require by contract that the third party "implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, use, modification, or disclosure."

A violation of AB 1950 could subject the business to a lawsuit under California’s Unfair Competition Law, which classifies "unlawful business conduct" as one form of unfair competition, and provides for civil penalties, private rights of action, and class actions against businesses engaged in unfair competition.5

All businesses that conduct any business in California, or with California residents, probably maintain, or have the potential of maintaining, some sort of unencrypted personal information as defined by AB 1950. Therefore, unless your business is exempt from the requirements of AB 1950 (because the business is already subject to a more protective state or federal law), management should consider taking the following actions to ensure compliance:

1. Identify the kinds of personal information that the business collects and maintains. Be sure to include paper-based as well as electronically-stored personal information.

2. Determine the level of risk that the potential loss or unauthorized disclosure of information poses to your business and to the public. It may be helpful to create a risk-rating system for this purpose, and assign each piece of personal information maintained a high, medium, or low risk category.

3. Use the risk analysis to determine if your business’s security measures and procedures are "reasonable." In making this determination, weigh the costs of the protection that your business currently provides (e.g., data encryption, backup, fire safes, internal procedures, locked cabinets, insurance, etc.), against the damages that the business would sustain if the data were to be lost or improperly disclosed.

4. If necessary, adjust procedures and practices so that the type and level of protection provided to the personal information is appropriate for degree of risk of loss or improper disclosure of that information.

We strongly encourage every business to document the risk analysis described above, as well as the company’s standard operating procedures that will ensure compliance with AB 1950. This is because, in the event that a person brings an action for violation of AB 1950, the business will be able to demonstrate that its protective measures are not only reasonable, but that the business, in fact, adheres to them.

SB 27 requires any business that discloses a customer’s personal information to a third party, for direct marketing purposes, to provide the customer, within 30 days after the customer’s request, the names and addresses of the recipients of that information and specified details regarding the information disclosed.

Every business with 20 or more full-time or part-time employees is subject to SB 27.

With certain limited exceptions, SB 27 requires any business that discloses personal information about a California resident to a third party, when the business knows or reasonably should know that the third party will use that personal information for direct marketing purposes, to implement a system to enable California residents to request and receive the details of the personal information that was shared with the third party. Note, however, that this statute does not address the legal requirements for disclosing personal information to third parties. Therefore, a business should, before sharing any customer data with any third party, ensure that its manner in doing so complies with all applicable privacy laws.

Personal Information. The definition of personal information under SB 27 is far more comprehensive than it is under AB 1950 (discussed above). SB 27 defines personal information as "any information that, when it was disclosed [by the customer to the business], identified, described, or was able to be associated with an individual." SB 27 expressly includes all of the following as within the definition of personal information:

1. An individual’s name and address;

2. Electronic mail address

3. Age or date of birth;

4. Names of children;

5. Electronic mail or other addresses of children;

6. Number of children;

7. The age or gender of children;

8. Height;

9. Weight;

10. Race;

11. Religion;

12. Occupation;

13. Telephone number;

14. Education;

15. Political party affiliation;

16. Medical condition;

17. Drugs, therapies, or medical products or equipment used;

18. The kind of product the customer purchased, leased, or rented;

19. Real property purchased, leased, or rented;

20. The kind of service provided;

21. Social security number;

22. Bank account number;

23. Credit card number;

24. Debit card number;

25. Bank or investment account, debit card, or credit card balance;

26. Payment history; and

27. Information pertaining to creditworthiness, assets, income or liabilities.

For the purpose of SB 27, a "customer" as used in this memorandum is any California resident engaged in a business relationship with the company. This does not require that there have actually been a consummated business transaction; only that one was contemplated. Thus, for all practical purposes, any personal information that the business collects from a customer or potential customer falls within the scope of this law.

Accepting customer inquiries about personal information disclosed to third parties. Under SB 27, a business that discloses personal information to a third party, when that information may be used by the third party for direct marketing purposes, must provide one or more of the following methods for customers to request details about the information disclosed:

	Postal mail, provided that the business designates a specific mailing address to which customers may send their inquiries;
	Electronic mail, provided that the business designates a specific electronic mail address to which customers may send their inquiries;
	Telephone, provided that the business designates a specific toll-free telephone number to which customers may send their inquiries; and/or
	Facsimile, provided that the business designates a specific toll-free fax number to which customers may send their inquiries.

Informing customers of their right to receive information about the disclosure of their personal information. A business that discloses information to third parties for direct marketing purposes must do at least one of the following:

	Regularly notify its agents and managers who supervise employees who regularly have customer contact of the procedures for customers to obtain information about the disclosure of their personal information;
	Post the procedures for customers to obtain information about the disclosure of their personal information on the company’s Web site;6 and/or
	Make the procedures for customers to obtain information about the disclosure of their personal information readily available in written form at every place of business in California where the business or its agents regularly have contact with customers.

Responding to customer inquiries about personal information disclosed to third parties. If a customer requests to receive information about which items of his personal information were disclosed to third parties, the business must, within 30 days of the inquiry, provide all of the following to that customer:

	A list of the items of personal information that was disclosed to third parties for the third parties’ direct marketing purposes during the immediately preceding calendar year;7 and
	The names and addresses of all of the third parties that received personal information from the business for the third parties’ direct marketing purposes during the preceding calendar year, and information about the third party sufficient to give the customer a reasonable indication of the nature of the third parties’ business.

The business must provide this information to the customer in writing, and free of charge.

Limitations on requirements. A business that is required to comply with SB 27 is not obligated to do so in response to a request from a customer more than once during the course of any calendar year. In addition, SB 27 sets forth examples of certain arrangements deemed not disclosures to third parties for the purpose this law. These examples include:

	Disclosure of personal information that is incidental to an arrangement with a third party for the storage, management, or organization of data, provided that the personal information is not used for the third party’s direct marketing purposes;
	Disclosure of information that is incidental to an arrangement with a third party for the maintaining or servicing of accounts, including credit account application processing, provided that the personal information is not used for the third party’s direct marketing purposes;
	Lawful disclosures to or from consumer reporting agencies; and
	Disclosure of information to a third party for the purpose of jointly offering a product or service to the customer. In order to satisfy the requirements of this exemption, all of the following requirements must be met:         1. The personal information must be disclosed pursuant to the terms of a written agreement between the business that discloses the personal information, and the third party that receives the personal information, for the purpose of jointly offering a product or service;         2. The written agreement must provide that the third party that receives the personal information is required to maintain the confidentiality of the personal information, and is prohibited from disclosing or using the personal information other than to carry out the joint offering or servicing of the product or service that is the subject of the written agreement;         3. The product or service offered must be a product or service of, and be provided by, at least one of the businesses that is a party to the written agreement; and         4. The product or service must clearly and conspicuously identify: (i) all of the parties that jointly offer, endorse, or sponsor the product; and (ii) all of the parties that disclose and receive customer information. This should be done by way of a pre-sale disclosure to every potential customer. A business should not disclose personal information under this exemption if the customer does not in fact purchase the product or service.

What are the consequences of failing to comply with SB 27?

Aside from potential actions under California’s Unfair Competition Law,8 SB 27 specifically provides that any customer injured by a violation of this law may institute a civil action to recover damages of up to $3,000 per violation. Moreover, unlike the action authorized by California’s Unfair Competition Law, SB 27 authorizes a prevailing plaintiff to recover his or her reasonable attorney fees and costs. This increases the likelihood that people will bring these lawsuits against businesses.

What can my business do to ensure compliance with SB 27?

SB 27 is a rather complex law, with many exceptions that apply depending on the specific activities of the business. Consequently, although we have addressed all of the core requirements of SB 27 in this memorandum, business owners should be aware that certain exemptions and exceptions, if applicable to their businesses, could reduce the costs of compliance.

The best way to ensure compliance with SB 27 is to incorporate its requirements into your company’s routine operations and its written operating procedures. Unlike AB 1950, SB 27 does not permit management to create reasonable procedures to address risk; SB 27 is a disclosure statute, and, as such, its requirements are specific and mandatory.

If your business discloses information to third parties, and that information may be used for direct marketing purposes, then you may wish to have your procedures for this data-sharing reviewed by legal counsel to ensure compliance with SB 27, as well as other applicable state and federal laws.

CONCLUSION

AB 1950 and SB 27 come into effect only five months after the effective date of California’s Online Privacy Protection Act ("OPPA"), another piece of legislation designed to protect customer information.9 A review of the legislative history of all of these new laws reveals that the California legislature is greatly concerned about protecting the personal information of California residents.

While laws like AB 1950 and SB 27 undoubtedly provide some measure of protection to California residents, they also impose requirements and burdens on businesses. If businesses do not adhere to those requirements, they may be sued. Consequently, it is becoming more important each year for businesses to be aware of their legal obligations concerning data security, so that they can make educated decisions on how to best allocate their resources.

________________________________

1 Cal.Civ.Code Section 1798.81

2 Ibid

3 Cal.Civ.Code Section 1798.82

4 "Medical information" means any individually identifiable information, in electronic or physical form, regarding the individual's medical history or medical treatment or diagnosis by a health care professional.

5 Cal.Bus.& Prof.Code Section 17200 et seq.

6 SB 27 has specific formatting and placement requirements for businesses choosing this option. Contact us, or refer to the text of SB 27 for all of these requirements.

7 Note that the business is not required to provide the actual data that was disclosed to the third parties, only the type of data, e.g., "social security number" or "date of birth."

8 See note 5 supra

9 Refer to http:/www.slglegal.com/OPPA.htm for an article discussing the OPPA.

If you would like to discuss your company’s strategy to comply with these new laws (as well as existing information security law not discussed in this memorandum), please contact us.

For more information, contact:

Michael D. Schley	805-966-2940
Joseph F. Look	805-688-9226
Ian M. Guthrie	805-966-2985
Brett Locker	805-963-4929

This Memo was prepared with the assistance of Christina Stokholm , law clerk.