California To Expand Its Data Breach Notification Rules
California has broadened its data breach notification statutes in response to the increasing number of large data breaches of customer information. AB 1710, which Governor Jerry Brown signed into law, amends California’s Data Breach Notification Law to (1) ban the sale, advertising for sale or offering for sale of social security numbers, (2) extend the existing data-security law and obligations applicable to entities that own or license customer information to entities that “maintain” the information, and (3) require that if the person or business providing notification of a breach under the statute was the source of the breach then the notice must include an offer to provide appropriate identity theft prevention and mitigation services, if any, at no cost for 12 months along with any information necessary to take advantage of the offer. The last of these amendments has spurned some debate over whether the statute actually mandates an offer of credit monitoring or other services given its use of the phrase “if any.” It is also unclear what exactly is intended by or who qualifies as “the source of the breach.”
The use and placement of the phrase “if any” in the statute does create some ambiguity. The statute, however, speaks in mandatory terms when it states the notification “shall include” an offer of these services. Its plain language also suggests the phrase “if any” is directed to the question of whether appropriate identity theft or mitigation services exist and are available – not whether or not they must be offered. A review of the measure’s legislative history confirms this. The Committee analyses all discuss this element of the statute as “requiring” an offer of services. Indeed, the legislative analysis immediately following the addition of the phrase “if any” defined the problem under existing law to be that it does not require any prevention or mitigation steps and states that this measure (AB 1710) addresses this issue by requiring an offer of appropriate “identity theft prevention and mitigation services, if any are available,…” This interpretation is also consistent with the fact that an offer is only required when the breach involves disclosure of highly sensitive information that tends to lead to identity theft or credit card fraud, i.e., the customer’s social security, driver’s license or California identification number.
The standard of whether or not such services would, to some degree, be appropriate will not likely be the primary conversation that this amendment sparks. The more lively topic will likely be who is the “source of the breach” (and even then the offer is only required when you are both the source of the breach and the party giving notice under the statute) and what standards apply for determining “appropriate” services. The legislative history is not as equally helpful on these questions. Thus, until the scope of this new requirement becomes more clear, businesses involved in a breach under the statute need to carefully think through the risks of offering certain services when providing notice.
These new rules take effect on January 1, 2015. To review the amended statute or its legislative history click here.