California Amends Data Breach Legislation
Continuing our coverage of the flurry of bills signed into law by California Governor Jerry Brown last week, we turn now to AB 1710, an amendment to California’s data breach legislation. The data breach amendment makes three notable changes to existing laws regarding personal information privacy:
1. Requires Companies that Maintain Personal Information to Implement and Maintain Reasonable Security Procedures and Practices.
California’s existing data breach law requires companies that own or license personal information to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information . . . .” Under existing law, the terms “own” and “license” include personal information retained as a part of a business’s internal customer accounts or for the purpose of using the information in transactions.
AB 1710 extends this requirement to companies that merely “maintain” personal information about Californians. The bill defines maintain information in the negative, as information that a business does not own or license.
For purposes of implementing and maintaining reasonable security procedures and practices, California defines “personal information” as an individual’s first name (or first initial) and her last name in combination with her social security number, driver’s license or California ID number, any medical information, or a financial account number (such as a credit or debit card number) and the associated access code. Cal. Civ. Code § 1798.81.5(d)(1).
2. Requires Companies that Maintain Personal Information to Disclose Certain Data Breaches.
Existing California legislation requires companies that own or license personal information disclose a data breach where it is reasonably believed that unencrypted personal information about a Californian was acquired without authorization. Current legislation provides that such disclosure be made “in the most expedient time possible and without unreasonable delay.”
AB 1710 adds a breach disclosure requirement for entities that merely maintain personal information. In addition, AB 1710 requires that companies that maintain personal information notify the owner or licensee of the personal information “immediately.” Existing law requires that companies that own or license personal information disclose a breach “in the most expedient time possible and without unreasonable delay”—a more flexible requirement and one that makes more sense, because remediation and investigation can add information to a notification that is highly useful to consumers.
It is worth noting that for purposes of data breach disclosure, California adds to the definition of “personal information” above “[a] user name or email address, in combination with a password or security question and answer that would permit access to an online account.” See Cal. Civ. Code § 1798.82(h)(2).
3. Requires Certain Companies to Provide Free Identity Theft Prevention and Mitigation Services for 12 Months.
With AB 1710, California appears to become the first state to require that certain businesses provide identity theft prevention and mitigation services at no cost for 12 months where certain personal information is breached. Specifically, AB 1710 seems to require the provision of such services to anyone whose name and social security number, driver’s license number, or California ID number were breached, where either the name or data elements were not encrypted.
The qualifiers “appears to” and “seems to” appear in the description above because the text of AB 1710 renders the requirement uncertain:
“If the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months . . . .”
The uncertainty stems from AB 1710’s inclusion of the phrase “if any.” (Read: “an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost . . .”) The placement of the phrase allows one to argue that AB 1710 does not actually obligate persons or businesses that were the source of a breach to provide identity theft prevention and mitigation services. Instead, one could argue that AB 1710 merely requires those entities that elect to provide identity theft prevention and mitigation services do so at no cost for at least 12 months.
In a press release, California Assemblymember Roger Dickinson (D-Sacramento), the bill’s co-author, stated that AB 1710 “[r]equires the source of the breach to offer identity theft prevention mitigation services at no cost to the affected person for no less than 12 months . . . .” However, while the March 28, 2014 draft of the bill did not include the phrase and thus mandated the provision of identity theft prevention and mitigation services, the April 24, 2014 draft quickly introduced the phrase “if any,” and may be read to have removed the mandatory nature of the requirement. In all, the current state of the law leaves room for interpretation and the ambiguity is worth noting.
Another potential issue is AB 1710’s requirement that this burden be carried out by persons or businesses that are the “source of the breach.” The bill does not define “source of the breach,” nor does it provide further guidance. As a result, companies may be unclear as to which entity is at “fault” and responsible for the remedial measure.
Although unrelated to data breaches, also included in AB 1710 is a prohibition of the sale, the advertisement for sale, or the offer to sell an individual’s social security number.