During the final days of the 2009 – 2010 legislative session, California Governor Arnold Schwarzenegger signed Senate Bill 9091 ("SB 909") into law.2 SB 909 will require additional disclosures by investigative consumer reporting agencies, as well as by employers who procure investigative consumer reports on job applicants or employees.

Under California law, an "investigative consumer report" refers to a consumer report in which information on a "consumer's character, general reputation, personal characteristics, or mode of living" is obtained through any means.3 Notably, this is broader than the corresponding term under the federal Fair Credit Reporting Act, which is limited to such reports obtained through personal interviews with friends, neighbors, and business associates.4

IMPLICATIONS FOR INVESTIGATIVE CONSUMER REPORTING AGENCIES

  1. Publication of Privacy Practices of Investigative Consumer Reporting Agencies. Effective January 1, 2011, an investigative consumer reporting agency operating in California will be required to post information on its website regarding its privacy practices. If the investigative consumer reporting agency does not have a website, it can comply with SB 909 by mailing a comparable written statement of its privacy practices to consumers upon request.

    The privacy statement "shall conspicuously include," but need not be limited to, the following content:

    • A statement that indicates whether the personal information will be transferred to "third parties" outside the United States or its territories. This statement must be entitled "Personal Information Disclosure: United States or Overseas." SB 909 provides that a "third party" includes, without limitation, "a contractor, foreign affiliate, wholly owned entity, or an employee of the investigative consumer reporting agency." In other words, it appears to encompass international transfers that remain within the same business entity.
    • A section that identifies the investigative consumer reporting agency representative(s) who can assist a consumer with additional information regarding the investigative consumer reporting agency's privacy practices or policies in the event of a compromise of his or her personal information. This section must be "separate" from the statement regarding data transfer practices and include the name, mailing address, email address, and telephone number of the agency representative(s).

  2. Liability for Offshore Security Breaches. SB 909 provides that an investigative consumer reporting agency shall be liable to a consumer who is the subject of a report if the consumer is harmed by any unauthorized access of the consumer's personally identifiable information, act, or omission5 that occurs outside of the U.S. or its territories as a result of the agency negligently preparing or processing any portion of an investigative consumer report outside of the U.S. and its territories. Under this provision, plaintiffs may recover actual damages, plus attorneys' fees and costs. This remedy expands the ICRAA's existing statutory liability provisions.

IMPLICATIONS FOR EMPLOYERS

Under the ICRAA, any person who procures an investigative consumer report for employment purposes must provide certain disclosures to the individual, including the name, address, and phone number of the investigative consumer reporting agency.

Effective January 1, 2012, these disclosures also must include a web address for the investigative consumer reporting agency, where the consumer may find information about the agency's privacy practices, including whether the consumer's personal information will be sent outside of the U.S. or its territories. If the investigative consumer reporting agency has no website, the notice must contain a phone number that the consumer may call to find out more about the agency's privacy practices.

PRACTICE POINTERS

In light of these amendments to the ICRAA, investigative consumer reporting agencies that store personally identifiable information regarding California consumers will need to assess any data processing or storage occurring outside the U.S. and its territories and ensure that their website privacy policies are updated by January 1, 2011. This may be a logical time to reevaluate the data security of offshore facilities, servers, and systems, and contractual protections and indemnification obligations from offshore service providers.

Likewise, employers who obtain investigative credit reports on California employees or prospective employees should update their notice and authorization documents to include the web address or phone number from which consumers may access information regarding privacy practices of the investigative credit reporting agency that prepares the report.

Footnotes

1. 2010 Cal. Stat. 481. The text and legislative history of SB 909 are available at http://www.leginfo.ca.gov/.

2. See http://gov.ca.gov/press-release/16089/.

3. Cal. Civ. Code § 1786.2(c).

4. 15 U.S.C. § 1681a(e).

5. Neither SB 909 nor the IRCAA defines or explains what is meant by "act or omission" as used in this context.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved