With California Governor Schwarzenegger's recent signature of SB 909, more regulations will be placed on consumer reporting agencies (CRAs). Although the provisions of the bill do not take affect until January 1, 2012, CRAs may need to take time to prepare.
A CRA will be required to must post its privacy practice policies on its Internet site or be prepared to mail a written copy of the policy statement to consumers upon request. Also, the consumer must be provided a separate section in the privacy statement that includes the name, mailing address, email address, and telephone number of the CRA's representatives who can assist a consumer with additional information regarding the CRA's privacy practices or policies in the event of a compromise of his or her information.
Perhaps more importantly is a new requirement that demands a CRA to inform a consumer if the consumer's personal information is transferred to third parties outside the United States. This "third party" is defined but, not be limited to, a contractor, foreign affiliate, wholly owned entity, or an employee of the CRA. A CRA will be liable for any security breaches that occur overseas with their third-party to the extent of the actual damages caused by the breach of security plus attorney fees.
If you read the bill - or the law - you will note the use of the term Investigative Consumer Reporting Agency throughout. California does not use the definitions established by the Federal Fair Credit Reporting Act (FCRA). What California defines as an Investigative Consumer Reporting Agency is actually what the FCRA defines as a Consumer Reporting Agency. And the FCRA has a different definition for what constitiutes an entity as an Investigative Consumer Reporting Agency.
The legislation amends California Civil Code §1786.16 and §1786.20. View the legislation at www.leginfo.ca.gov (click on Bill Information and then enter SB909).