Spurred by the security breaches at Target, Neiman Marcus, and The Home Depot, California Gov. Jerry Brown signed into law Assembly Bill No. 1710 September 30, 2014. The bill expands requirements on persons or businesses that own, license, and maintain personal information about a California resident. Specifically, the new law amends sections 1798.81.5, 1798.82, and 1798.85 of the California Civil Code to reflect the following changes:
- Expands the provisions that require businesses to provide security measures involving personal information to include businesses that “maintain” information about a California resident, not just those who “own” or “license” that information.
- Requires that if the person or business providing a security breach notification was the source of a breach that involved the exposure or possible exposure of social security numbers (SSNs) or driver’s license numbers, then “an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months.”
- Prohibits the sale, advertisement for sale, or offer to sell of an individual’s social security number, except in specific circumstances.
Previously, only businesses that owned or licensed personal information about a California resident were required to implement and maintain reasonable security procedures and practices to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Owned and licensed personal information include “information that a business retains as part of the business’ internal customer account or for the purpose of using that information in transactions with the person to whom the information relates.” For example, financial institutions have long been deemed “owners” of personal information under the existing law, and frequently have to issue notices of breach in situations when the actual incident did not even occur at a bank or credit union. However, with the new bill, as long as a business maintains personal information, it will be responsible for disclosing that a breach occurred. This expands the data breach laws to include retailers that have personal information about their customers, but do not use it in the manner defined above.
In addition, AB 1710 requires businesses that are the source of a security breach involving SSNs or drivers’ license numbers to provide, if any, identity theft prevention and mitigation services at no cost to the affected person for a minimum period of 12 months. The plain text of the statute makes the requirements regarding cost and length of services conditional on the company offering services at all. By saying that “an offer…if any” must meet certain requirements, the statute precludes very short-term “offers” that really function as teasers to get people to subscribe for services at their own expense. However, many commenting on the bill before and after passage have essentially read the “if any” language out of the text by construing the provision to make credit monitoring or a like service mandatory. Regardless of the interpretation, the new provision reflects the legislature’s interest in offering security breach victims a means to ameliorate the situation.
Finally, the new bill also provides that a person or entity may not sell, advertise for sale, or offer to sell an individual’s SSN except in specific circumstances allowed by the law. For example, businesses are not prohibited from incidentally releasing social security numbers when it is necessary to do so to accomplish a legitimate business purpose. Note, however, that it is not permissible to release an individual’s social security number for marketing purposes.
The new amendments go into effect January 1, 2015. Beginning then, businesses that violate the law may be subject to civil actions by customers seeking to recover damages or injunctive relief. Cal. Civ. Code § 1798.84(b) and (e).