As the first state in the country to enact data breach legislation, California recently amended its law with regard to companies that offer credit monitoring or identity theft prevention and mitigation services in the wake of a breach.

As originally drafted, the bill mandated that all companies offer such services, but as signed by Governor Jerry Brown, the law only placed certain requirements on companies that voluntarily elect to make such an offer to customers.

Pursuant to AB 1710, if a company offers to provide credit monitoring or identity theft prevention and mitigation services in the wake of a data breach, the services must be provided for free, offered for at least 12 months, and the offer must contain all material information about how to take advantage of the deal.

Specifically, Civil Code Section 1798.82(d)(2)(G) states that “If the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed personal information.”

The term “source of the breach” is not defined in the law.

In addition, the updated statute now prohibits the sale, or the offer to sell, an individual’s Social Security number.

The statute does contain exceptions to the restriction on the sale of Social Security numbers, including “if the release [not necessarily a sale] of the Social Security number is incidental to a larger transaction and is necessary to identify the individual in order to accomplish a legitimate business purpose” or “for a purpose specifically authorized or specifically allowed by federal or state law.” However, the law explicitly prohibits the release of an individual’s Social Security number for marketing purposes.

To read the new law, click here.

Why it matters: The original AB 1710 faced opposition from businesses and retailers, not only because of the mandatory services provision that was later removed, but also because it would have transferred the financial responsibility of a data breach onto the shoulders of the company suffering the breach. That language was dropped before the bill was passed by the legislature and signed by Governor Brown. Although companies dodged a bullet in the final version of the law, they should be aware of the new requirements if they do decide to offer credit monitoring or identity theft prevention and mitigation services.