States Weigh In on Identity Theft Protections

In April 2013, the SEC and the CFTC jointly issued their final rules and guidelines for entities regulated by each of the respective agencies under Regulation S-ID – Identity Theft Red Flags Rules (the “Rule” or “Regulation S-ID”).  The new regulation became effective on May 20, 2013 and requires all affected firms to have policies and procedures in place by November 20, 2013.  Regulation S-ID requires that all “financial institutions” (as that term is defined in the Rule) develop policies and procedures to prevent, identify and mitigate identify theft. Now individual states also are creating rules and regulations that may help supplement those policies and procedures required of Regulation S-ID.  For example, in the State of California, Cal. Civ. Code 1798.82 (California’s data breach notification law) describes what the state deems to be personally identifiable information which currently includes information such as a person’s first name or first initial and last name in combination with any of the following: Social Security number, Driver’s license number, etc.  Governor Jerry Brown recently signed into law an amendment (taking effect January 1, 2014) that amends the current code and requires that “user names and email addresses must be combined with a password or security question and answer to permit access to an online account.”  In addition, should there be a breach of this type of information, the firm must provide notice to the affected person, directing him or her to change his or her password and security question or answer, as applicable, and to take other appropriate steps to protect the online account in question and all other accounts for which that person uses the same credentials. Furthermore, if the firm has more than 500 clients located in the state of California and a breach occurs, not only is the firm required to notify individual clients as described above, but it must also submit an online form to the State of California describing the breach and steps taken in response to the breach.  A sample of this form can be found here. For further information on this, or other related topics, please contact us at or (619)298-2880.

Leave a Reply

Your email address will not be published. Required fields are marked *