Businesses operating in California and Nevada will need toexamine the security measures that protect “personal information” that they sharewith others as part of their operations.

The two states are expanding the definition of “personalinformation” and are requiring companies that share the informationto not only take extra security precautions themselves whenmanaging the information, but to ensure that any entities theyshare information with also abide by strict security measures.

In a recent alert to clients and others, the law firm BallardSpahr cautioned that companies doing business in the two statesneed to immediately review their “personal information” protectionpolicies and systems.

California’s new law takes effect Jan. 1, 2016. Nevada’s tookeffect July 1.

The new regulations, which are similar, the firm said,apply “to two broad categories of businesses—those which own,license, or maintain personal information about California [and Nevada] residents, and businesses which, pursuant tocontract, disclose personal information about California [andNevada] residents to unaffiliated third parties,” the law firmsaid.

“When disclosing personal information,businesses are also required to ‘pay (the protection) forward’ byincluding, in the agreements with the third parties to whominformation is disclosed, contractual provisions mandatingimplementation of reasonable security measures.”

The new regulations don’t apply to businesses that are alreadytaking strict security measures, i.e., those bound by HIPAArules.

The information covered by the regulations includes “a person’sname in combination with his or her Social Security number,driver’s license or [state] identification card, credit or debitcard number and password, or medical information,” Ballard Spahrsaid. “When the amendments take effect, ‘personalinformation’ will also include a person’s name coupled with his orher health insurance information, and ausername or email address in combination with a password orsecurity question and answer that would permit access to an onlineaccount.”

Health insurance information that falls under the new lawsinclude policy or subscriber identification numbers as well as “anyunique identifier used by a health insurer to identify anindividual, or any information in an individual’s application andclaims history, including any appeals records.”