There is a new California law that took effect in 2015. And it appears to put an added burden on and potential risk for business owners who share customer’ personal information with third parties.
Law (A.B.1710)
Previous law required that any business that owns or licenses electronic information about California residents to notify them if their information was accessed by an unapproved person. The new legislation requires in addition to the notification, that the source of any breach of such information to offer California residents whose personal information was compromised mitigation services and free identity theft protection for a minimum of 12 months.
Previous law made it mandatory that any businesses or website operators that owned personal information about a California resident “implement and keep reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, change, or disclosure.”
New additional legislation requires that a business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third Party shall require by contract that the third-party implement and keep reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
This new requirement could put you at risk for the behavior of a third-party you are contracting with but have no control over.
Although not totally clear, this new legislation could potentially put you as a website or business owner at risk should a third-party you are contracting with does not maintain required security procedures and your customers information gets comprised by the third-party.
At the end of the day, these are new requirements for anyone dealing with personal information. Liability is still the same – if you get breached, you are likely going to be on the hook. If the third-party gets breached, you still may be on the hook, but hopefully you have some sort of “indemnification” clause or agreement in place that the third-party will cover you for any problems.