68 | 2023 Cal-Peculiarities ©2023 Seyfarth Shaw LLP www.seyfarth.com 4.8.2 Duty to protect personal information California businesses owning personal information—such as SSNs, driver’s license numbers, credit card members, medical information—must “maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”39 A business that “discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party”—e.g., an employer that releases personal information when contracting with third parties for payroll, benefits administration, or background check purposes—must “require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”40 4.8.3 Social media password and access protections California employers must not request or require employees or job applicants to divulge personal social media account information. The term “social media” broadly encompasses all digital or electronic content, including videos, photographs, blogs, podcasts instant-text messages, email, on-line services or accounts, and internet website profiles.41 Specifically, employers must not ask or demand that employees or applicants (1) disclose user name or password to access a personal social media account, (2) access personal social media in the employer’s presence, or (3) divulge any personal social media.42 Employers must not take any adverse action for refusing or failing to comply with such a request or demand.43 Employers still may, however, ask employees to divulge personal social media reasonably believed to be relevant to investigating suspicions of employee misconduct or violations of law, so long as the employer uses the social media solely for that or a related investigation or proceeding.44 And employers can still request this information for the purpose of accessing an employer-issued electronic device.45 4.8.4 Other personal information The Court of Appeal has upheld an employee’s right to sue her employer on the basis that her supervisor had informed the workforce that the employee suffered from bipolar disorder. Although the defendant won summary judgment against this claim for invasion of privacy—on the ground that the alleged disclosure was oral only and not reduced to a writing—the Court of Appeal reversed, holding that “disclosure in a writing is not required to maintain a cause of action for public disclosure of private facts.”46 4.9 Security of Personal Information 4.9.1 Potential liability for failing to secure personal information Businesses that collect the personal information of California consumers have an affirmative obligation to protect that information from unauthorized or illegal access, destruction, use, modification, or disclosure.47 Failure to implement reasonable security procedures and practices to protect such personal information can subject an employer to class action liability up to $750 per impacted employee per incident.48 Additionally, such failure can trigger administrative fines ranging from $2,500 for each violation to $7,500 for each intentional violation.49 It is important to note that the scope of this obligation is broader than the breach notice obligation (see § 4.9.2, immediately below). The affirmative obligation around reasonable security is for “personal information.” Breach notice obligations only apply to “computerized data.” Thus the “reasonable security” obligation applies to both offline data as well as on-line data. Similarly, the monetary liability will apply to both off- and on-line data. 4.9.2 Duty to provide notice of security breaches California businesses owning or licensing any computerized data including unencrypted (and, in some instances, encrypted) personal information must, upon breach of the security of that information, notify the affected persons
RkJQdWJsaXNoZXIy OTkwMTQ4