Startups Beware! CA Breach Notification Laws Expanded
COO & Co-Founder
COO & Co-Founder
If you’re a tech startup, your duties to protect your users’ personal information just got a bit more onerous. Last Friday (Sept 27th), Governor Jerry Brown signed a bill into law that expands the security/data breach notification requirements beyond their current spectrum. Up until now, companies only had to notify users of a breach if they actually confirmed the loss of certain personal information, including identifier numbers (social security, driver’s license), credit card numbers, or certain medical/insurance information. The folks at Fox Rothschild did a good job of breaking down the new law in this article, but we’ll just give you the absolute basics here:
While the new CA breach notification laws don’t change actual security requirements, this law obviously has some implications for your tech operations and infrastructure. Depending on how your company/product is built, you may have to add an additional layer into your operations to deal with these new requirements. And unfortunately its not quite as easy to automate something that can be based on a “reasonable belief.”
Keep in mind that this law protects CA residents, meaning that you don’t have to be a CA startup to full under its scope. It’s a pretty safe bet that unless you’re beta testing in NYC or something, you’re going to have at least some users out west. These infrastructure changes apply to basically everyone!
The change also opens you up to even more cyber liability in the form of “failure to inform” style lawsuits. It’s unclear (at least to this writer) what counts as “unreasonable delay” for this law, and usually that definition will be hammered out during the first few painful notification-related court cases. If you’re worried about your cyber exposure, read more here or reach out to us to get a quote any time.
PCI DSS compliance and cyber liability can seem confusing, but we break it down for you so you can keep your business booming.