In August 2011, California passed a senate bill (SB 24) updating California's security breach notification law, by establishing new content requirements for breach notification letters to California residents and requiring notification to the state attorney general when a breach affects more than 500 California residents. HIPAA-covered entities in compliance with the federal HITECH Act are deemed to have complied with these new content requirements. In addition, entities reporting a security breach that elect to notify affected individuals through the state's media, rather than directly, must now also notify the California Office of Privacy Protection and Consumer Services Agency. The amendments take effect January 1, 2012.
In February 2011, the California Supreme Court held that it is a violation of California law for businesses to request and record a credit card holder's ZIP code in connection with a credit card transaction (Pineda v. Williams-Sonoma, 51 Cal. 4th 524 (Cal. 2011)). Plaintiff filed a putative class action against retailer Williams-Sonoma alleging that it violated California's Song-Beverly Credit Card Act of 1971 (one of the state's consumer protection statutes) when a cashier asked for, and later recorded, plaintiff's ZIP code during a credit card transaction, and plaintiff believed that providing such information was a condition to completing the purchase. The Credit Card Act prohibits businesses from asking for cardholders' "personal identification information" during credit card transactions and then recording that information. The California Supreme Court reversed the lower courts' holdings that ZIP codes were not "personal identification information" and held that the retailer's request and recording of ZIP code information violates the Credit Card Act.
To read "Privacy and Data Protection 2011 Year in Review" in full, please click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.