On September 30, 2014, California's Governor Brown signed
A.B. 1710, a bill establishing new requirements under
California's data breach notification statute. The new law adds
three provisions to the existing statute, California Civil Code
section 1798.81.5: (i) it prohibits the sale, advertisement for
sale, or offer to sell an individual's Social Security number,
other than as permitted by law; (ii) it extends the requirement to
maintain reasonable security practices and procedures to businesses
that maintain the personal information of California residents
(i.e., data processors and service providers), not only those that
own or license such information; and (iii) in the event that the
party providing breach notification was the source of the breach,
it contains requirements regarding offers to provide identity theft
prevention and mitigation services to the person affected by the
breach.
The first change is straightforward. With respect to the second,
prior to the amendments, only companies that owned or licensed
personal information of a California resident were required to
implement and maintain reasonable security procedures and practices
appropriate to the nature of the information. The statutory
imposition of the reasonableness standard on entities that merely
"maintain" personal information could be a significant
expansion that implicates service providers and the growing number
of companies offering "cloud-based" services. The third
change already is generating debate and uncertainty over whether it
imposes a mandatory requirement for theft prevention and mitigation
services, or merely dictates how to do so if a company so chooses.
Although the latter reading is more consistent with the plain
language, it departs from the original intent of the bill. In any
event, the confusion further complicates the already
difficult-to-navigate patchwork of varying state laws on data
breach notification.
The version of the bill signed by the governor reflects several
other significant changes from the original text, which appear to
have been made in response to business groups such as the
California Retailers Association, California Bankers Association,
and the Internet Association. The original bill included provisions
that would have required businesses to bear the costs associated
with issuing new payment cards in response to a breach of the
company's customer data, unless they met safe harbor criteria.
It also would have imposed limitations on the storage of consumer
data and would have authorized civil actions by individuals against
businesses affected by a data breach as well as prosecutions for
recovery of statutory penalties. It remains to be seen if these
issues are raised again in later bills, and/or in other
states.
The law still requires an owner or licensee of personal information
to disclose a data breach to any California resident whose
unencrypted personal information was, or is reasonably believed to
have been, acquired by an unauthorized person. The amendments do
not change the obligation of entities that "maintain"
personal information to notify the information's owner or
licensee of the breach immediately following its discovery (which
data owner then may have notification obligations). The law's
additional protections for Social Security numbers supplement
existing protections that prohibit the public display or posting of
a Social Security number, as well as other acts that fail to
adequately secure the information, such as requiring the
transmission of a customer's Social Security number without
encryption.
The amendments reflect incremental change as opposed to the
significant change that the original drafters seem to have
intended. Nonetheless, they make clear that California will
continue to prioritize privacy and data security, and companies
doing business here or with California residents should stay up to
date on the legal requirements, ensure they are maintaining
reasonable security procedures and practices to protect the
personal information of California residents from unauthorized
access, and confirm that they have an appropriate breach procedure
in place. Such a program should include the development,
implementation, and maintenance of a vendor compliance assessment,
as well as ongoing monitoring.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.