Businesses operating in California and Nevada will need to examine the security measures that protect “personal information” that they share with others as part of their operations.
The two states are expanding the definition of “personal information” and are requiring companies that share the information to not only take extra security precautions themselves when managing the information, but to ensure that any entities they share information with also abide by strict security measures.
In a recent alert to clients and others, the law firm Ballard Spahr cautioned that companies doing business in the two states need to immediately review their “personal information” protection policies and systems.
California’s new law takes effect Jan. 1, 2016. Nevada’s took effect July 1.
The new regulations, which are similar, the firm said, apply “to two broad categories of businesses—those which own, license, or maintain personal information about California [and Nevada] residents, and businesses which, pursuant to contract, disclose personal information about California [and Nevada] residents to unaffiliated third parties,” the law firm said.
“When disclosing personal information, businesses are also required to ‘pay (the protection) forward’ by including, in the agreements with the third parties to whom information is disclosed, contractual provisions mandating implementation of reasonable security measures.”
The new regulations don’t apply to businesses that are already taking strict security measures, i.e., those bound by HIPAA rules.
The information covered by the regulations includes “a person’s name in combination with his or her Social Security number, driver’s license or [state] identification card, credit or debit card number and password, or medical information,” Ballard Spahr said. “When the amendments take effect, ‘personal information’ will also include a person’s name coupled with his or her health insurance information, and a username or email address in combination with a password or security question and answer that would permit access to an online account.”
Health insurance information that falls under the new laws include policy or subscriber identification numbers as well as “any unique identifier used by a health insurer to identify an individual, or any information in an individual’s application and claims history, including any appeals records.”