Last year, California addressed the disposal of personal information by enacting AB 1094, which provides a safe harbor for storage companies or landlords when they end up with others’ records containing personal information. Governor Schwarzenegger, however, vetoed legislation, SB 20, to enhance the state’sbreach notification law to require notification to the California AttorneyGeneral, in addition to the parties that must be notified under existing law. He had vetoed the legislation once before in 2008. The bill’s author introduced the legislation for a third time on February 18, 2010.
A. A.B. 1094 – Data Disposal Law
Under old law, businesses had an obligation to “destroy” or “arrange forthe destruction” of records containing “personal information” that it will no longer retain. “Personal information” is defined in Civil Code § 1798.80(e), and includes more categories of information than the phrase “personal information” under California’s breach notification law. AB 1094 changes the law to require businesses to “dispose” or “arrange for the disposal” of such records. The change from “destroy” to “dispose” may have no practical effect because the means of compliance, shredding, erasing, or making the information unreadable or undecipherable, remain the same under the new law. Cal. Civil Code § 1798.81.
AB 1094 also addresses a situation that may have become all too common with the economic downturn: a tenant leaves commercial space or vacates a storage facility, and the landlord or the storage company ends up with records containing personal information. Under old law, landlords had an obligation to notify tenants and any other person the landlord reasonably believes to be the owner about property remaining in the premises after the tenant has left. Cal. Civil Code §§ 1983(a), 1993.03(a). AB 1094 adds language stating that if property left on the premises consists of records, the tenant is the presumed owner of the records. “Records” has a broad definition that encompass electronic information.
Finally, AB 1094 adds a safe harbor intended for landlords and storage companies left holding records containing personal information after tenants vacate the premises. The bill adds language stating, “A cause of action shall not lie against a business for disposing of abandoned records containing personal information by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.” Cal. Civil Code § 1984(f)(1). While the language is broad enough to cover anyone left holding abandoned records, the legislature declared its intent to create a safe harbor for storage companies and commercial landlords. Id. § 1984(f)(2).
B. Proposed A.G. Reporting Requirement for Data Breaches
California State Senator Joe Simitian, the author of the original SB 1386 breach notification law in California, twice introduced legislation to augment the law by requiring businesses or state agencies providing notice of breaches to also notify the State’s Attorney General if the breach involved the personal information of more than 500 state residents. In both cases, Governor Schwarzenegger vetoed the legislation. The 2009 legislation appeared in S.B. 20.
This February 18, Sen. Simitian reintroduced the legislation as S.B. 1166–for the third time. The Senate Judiciary Committee held a hearing on the bill on March 23, 2010. It remains to be seen whether the third time is a charm. This provision appears in other states’ laws, but the State’s funding crisis may underlie the Governor’s reluctance to require the Attorney General’s office to handle more paperwork.