The new year brings with it many new California privacy laws. Included are the following:
S.B. 202 – Telephone Record Pretexting
As previously reported, S.B. 202 amends Penal Code § 638 to prohibit the purchase or sale of any telephone pattern record or list without the written consent of the subscriber.
A.B. 424 – Identity Theft: Personal Information
A.B. 424 expands the definition of identity theft victim, for purposes of Penal Code §§ 530.5, 530.6 and 530.8, to include firms, associations, organizations, partnerships, businesses, trusts, companies, corporations, limited liability companies or public entities.
A.B. 618 – Financial Crime
Upon request from law enforcement agencies, banks, credit unions and savings associations must provide surveillance photos and videos of anyone accessing the financial account of a crime victim, whether such access occurred at an ATM or inside the financial institution. Government Code § 7480.
A.B. 2043 – Identity Theft and Debt Collection
This law amends Civil Code §§ 1788.2 and 1788.18 to extend to firms, associations, organizations, partnerships, business trusts, companies, corporations, and limited liability companies protections previously available to consumers to contest debts where they are victims of identity theft.
A.B. 2886 – Identity Theft Penalties
This law amends Penal Code §§ 530.5 and 530.55 to define new crimes, enhance penalties and create court procedures concerning crimes of identity theft, including: 1) penalty enhancements for repeat offenders and for those stealing the identities of ten or more people; 2) a requirement that court records reflect that the person whose identity was stolen was not responsible for the crime committed; 3) penalties for selling, transferring or conveying personal information with the knowledge that it will be used to commit identity theft or with the intent to defraud; 4) state penalty for mail theft and 5) the addition of professional or occupational number to the definition of "personal identifying information."
In Other News
As expected, the new Democratic leadership in Congress already has sought to reintroduce federal legislation governing data security breach notification requirements that would expressly preempt the more than 30 state laws already on the books.
On January 10, Senator Dianne Feinstein of California introduced The Notification of Risk to Personal Data Act (S. 239). Thus far, published reports of the bill indicate that it largely reflects California’s legislation, but includes an exemption from notification for any government agency or business if "a risk assessment concludes that there is no significant risk that the security breach has resulted in, or will result in, harm to the individuals whose sensitive personally identifiable information was subject to the security breach." The results of any such risk assessment would be provided to the Secret Service, which would have 10 days to determine whether a notice should be issued. Further, under the bill, a business need not disclose a breach if it "utilizes or participates in a security program that is designed to block unauthorized financial transactions before they are charged to the account of the individual."