On September 30, 2014, California Governor Jerry Brown signed into law AB 1710, a bill which expands California’s existing data breach laws.  As we discuss in further detail below, the new laws introduce substantive requirements to California’s current data breach law by: (1) prohibiting the sale, advertisement or offer to sell an individual’s social security number, (2) including additional requirements related to identify theft prevention and mitigation services, and (3) requiring business that maintain personal information about California residents to implement and maintain reasonable security measures to protect the personal information of its residents.

This expansion of California’s current data breach laws likely comes on the heels of media reports of data breaches and the alarming number of complaints of identify theft received by federal and state agencies.  As we discussed in a previous blog post, Florida has also recently expanded their data breach laws, and we will likely see other states following suit and strengthening their data privacy and security laws.  Meanwhile, California remains at the forefront of the development of privacy-related laws.     

Protections for Social Security Numbers

AB 1710 amends Cal. Civil Code 1798.85 to increase protection of an individual’s social security number by prohibiting the sale, advertisement for sale, or offer to sell an individual’s social security number with limited exceptions.  For example, an exception to AB 1710 includes the release of an individual’s social security number, if the release is incidental to a larger transaction and is necessary to identify the individual in order to accomplish a legitimate business purpose.

Identity Theft Prevention and Mitigation

Cal. Civil Code 1968.82 currently requires entities that own or license certain personal information to notify individuals whose personal information has been involved in a data breach. The new law requires that if any identity theft prevention and mitigation services are already provided, the data breach notification must inform the affected persons that the services will be provided for at least 12 months and at no cost, and must include information on how to obtain those services.1   The addition of "if any" is an important one and one we have seen misreported.  Some have suggested that this law is the first law to require credit monitoring - or similar services - be provided if certain data elements were present.  This is not the case.  The provision of credit monitoring remains optional - albeit a best practice and one often "required" by state attorneys general - and if offered, then certain instructions need be provided as is typically the case.2  

Maintenance of Personal Information

Under Cal. Civil Code 1798.81.5, California currently requires businesses that own or license personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information and to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. 

AB 1710 expands the existing law, now requiring of businesses that merely “maintain” a resident’s personal information to implement reasonable security procedures and practices to protect personal information. 3