Insights

Today's Trends in Credit Regulation

California Privacy Bills
By Elizabeth A. Huber

When it comes to privacy and identity theft protection, California’s legislators pride themselves on having acted years ahead of the U.S. Congress. Before the Fair and Accurate Credit Transactions Act of 2003 was signed into law amending the Fair Credit Reporting Act, California had already adopted these provisions:

  • Consumers’ ability to place security alerts and security freezes in their credit reports.
  • Providing consumers who are victims of identity theft with copies of their credit reports.
  • Right of consumers who are victims of identity theft to obtain copy of file from creditor .
  • Blocking information in credit files when consumers are victims of identity theft.
  • Providing consumers with credit score disclosures in connection with home mortgage loans (and now, also in connection with motor vehicle financing and leasing).
  • Notice that negative information may be furnished to credit reporting agencies.
  • Need to verify consumer’s address and identity when discrepancy reported (red flags).
  • Truncation of credit card numbers in receipts for purchase.
  • Rules for disposing of consumers’ records.

There’s no mystery why it pays to watch what California does, and this year’s legislative session is no exception.

Senate Bill 24 – California’s security breach notification law would be amended by Senate Bill 24 to require a governmental agency or any business that is obligated to issue a security breach notification pursuant to existing law, to include numerous additional items of information in the notice. The law currently requires an agency or business that owns or licenses computerized data that includes personal information (a defined term) to disclose any breach of the security of the system, following discovery or notification of the breach, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The notification must be made in the most expedient time possible and without unreasonable delay. Some delay is excused if required by law enforcement in connection with a criminal investigation, or because it is necessary to determine the scope of the breach, and to restore the reasonable integrity of the data system.

If the bill is enacted, the security breach notification –

  • Must be written in plain language.
  • Include, at a minimum, the following information:
    • The name and contact information of the reporting business.
    • A list of the types of personal information that were or are reasonably believed to have been the subject of a breach.
    • If the information is possible to determine at the time the notice is provided, then any of the following: (i) date of the breach, (ii) estimated date of the breach, or (iii) the date range within which the breach occurred. The notification must also include the date of the notice.
    • Whether notification was delayed as a result of a law enforcement investigation, if that information is possible to determine at the time the notice is provided.
    • The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a social security number or a driver’s license or California identification card number.
  • May include, in the discretion of the business, information about what the business has done to protect individuals whose information has been breached, and advice on steps that the person whose information has been accessed may take to protect herself.

The bill would also require any agency or business that is required to issue a security breach notification to more than 500 California residents pursuant to existing law to electronically submit a single sample copy of that security breach notification to the Attorney General, as specified. Existing law provides if the business demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of persons to be notified exceeds 500,000, or the business does not have sufficient contact information, the business may invoke the process for “substitute” notice. Part of the substitute notice process would be amended to require that the notification also be sent to the California Office of Privacy Protection, www.privacy.ca.gov.

Senate Bill 242 – Although at the time of this writing, the Social Networking Privacy Act is not moving in committee, the bill would prohibit a social networking Internet Web site to display to the public or other registered user the home address or telephone number of a registered user who identifies herself as being under 18 years of age. The prohibition would only apply to a text field specifically designated to display the registered user’s home address or telephone number. A willful and knowing violation would cause the social networking site to be liable for a civil penalty not to exceed $10,000 for each violation.

Senate Bill 602 – This bill would adopt the Reader Privacy Act, which would, among other things, prohibit a commercial provider of a book service, from disclosing, or being compelled to disclose, a user’s personal information related to the use of a book or part of a book, subject to certain exceptions, for example, a search warrant. A “book” is defined as paginated or similarly organized content in printed, audio, electronic, or other format, including fiction, nonfiction, academic, or other works of the type normally published in a volume or volumes. “Book service” is defined as a service that, as its primary purpose, provides the rental, purchase, borrowing, browsing, or viewing of books.

The bill would require a court, when considering whether to issue a search warrant/order for civil discovery, to make specified findings, including that the person or entity seeking disclosure of personal information of a user of a book service has a compelling interest in obtaining that information. The bill would impose civil penalties on a provider of a book service for knowingly disclosing a user’s personal information to a government entity in violation of these provisions. The bill would require that any provider of a book service prepare a specified report relating to demands for disclosure of personal information of users of the book service, and publish that information in a searchable format on the Internet.

Senate Bill 761 The Consumer Protection Against Computer Spyware Act prohibits any person other than the authorized user of computer software from causing computer software to be copied onto the computer of a consumer in this state and using the software to commit unauthorized acts or to collect, through intentionally deceptive means personally identifiable information (a defined term), and through intentionally deceptive acts, to remove, disable, or render inoperative security, antispyware, or antivirus software installed on the computer. This bill would, no later than July 1, 2012, require the Attorney General, in consultation with the California Office of Privacy Protection, to adopt regulations that would require a covered entity, defined as a person or entity doing business in California that collects, uses, or stores online data containing covered information, from a consumer in this state, to provide a consumer in California with a method to opt-out of that collection, use, and storage of such information.

California Financial Information Privacy Act – “Basis Points” readers who are “privacy geeks” like many of us here at Hudson Cook will know that the California Financial Information Privacy Act contains a “safe harbor” privacy form for California consumers. Under the Act, a financial institution will be conclusively presumed to have satisfied the “opt-out” notice requirements if it uses the form set forth in Cal. Financial Code Section 4053(d). If a financial institution does not use the safe-harbor form, the financial institution must use a form that meets laundry list of requirements in this subsection. If a financial institution uses a form other than the safe-harbor form, the financial institution may submit that form to its functional regulator for approval. For purposes of those regularly extending or arranging credit, the functional regulators are the Department of Financial Institutions (banks, credit unions, industrial banks, trust companies, money transmitters, issuers of travelers checks and payment instruments/money orders, and premium finance companies), the Department of Corporations (California Finance Lender licensees and Residential Mortgage Lending Act licensees) and the Department of Real Estate (real estate loan brokers).

The California Department of Corporations’ website advises that a “financial institution” may submit the privacy form to the Department of Corporations for approval. Filing is optional with the licensee, and we are not aware of any examinations that have investigated a license’s information sharing practices and compared it to the licensee’s privacy policy. The instructions for filing the licensee’s privacy form are at: http://www.corp.ca.gov/FSD/submission.asp.

The Department of Financial Institutions includes Management Certification for privacy compliance in its examination procedures. For these entities, the FAQs for the Certification provide step by step instructions: http://www.dfi.ca.gov/resources/faqs/div1_2.pdf.

Aside from the Department of Real Estates 2005 bulletin that references the Financial Information Privacy Act, we did not locate any helpful online information for DRE licensees, www.dre.ca.gov.

Office of Privacy Protection Tip of the Month – The California Office of Privacy Protection advises that obvious answers to obvious security questions can bring trouble, and that it is better to pick random answers to infrequently asked security questions. California Attorney General Kamala D. Harris recently spoke about a California man who pleaded guilty to hacking into hundreds of women’s email accounts. The hacker was apparently able to do this by correctly answering the security questions with information found on his victims’ Facebook pages. Pet names, schools, favorite songs, and children’s names opened the door for this identity thief. This helpful example of how to set up a security question that will prevent an unauthorized person from using information from other sources, such as Facebook, to access private accounts was offered: “Where did your parents meet?” P!aNe+maR$!

Elizabeth A. (Liz) Huber is a partner in the Hudson Cook, LLP’s Orange County Office, and can be reached at (310) 686-5050 or by email at ehuber@hudco.com. Liz writes and speaks frequently on California consumer credit issues.

Article Archive

2022   2021   2020   2019   2018   2017   2016   2015   2014   2013   2012   2011   2010   2009