Following a string of high-profile data breaches and new data suggesting that approximately 21.3 million customer accounts have been exposed by data breach incidents over the past two years, the California legislature has introduced legislation aimed at making retailers responsible for certain costs in connection with data breach incidents. If passed in its current form, Assembly Bill 1710, titled the Consumer Data Breach Protection Act, would have a substantial impact on retailers operating in California.
Among the major changes proposed in the bill:
- Stricter Notification Requirements. The proposed bill would create stricter time-frames and specific requirements for notification of affected consumers following a data breach incident. In addition to current requirements to notify consumers individually in the most expedient time possible, a retailer affected by a data breach will be required, within 15 days of the breach incident, to provide email notification to affected individuals, post a general notice on the retailer’s web page and notify statewide media.
- Retailer Liability for Costs Associated with Data Breach Incidents. A.B. 1710 would amend California’s Civil Code to make retailers liable for reimbursement of expenses incurred in providing the notices described above, as well as the cost of replacing payment cards of affected individuals.
- Mandatory Provision of Credit Monitoring Services. If the person or business required to provide notification under the Civil Code is the source of the breach incident, A.B. 1710 will require that person or business to offer to provide identity theft prevention and mitigation services at no cost to affected consumers for not less than 24 months.
- Prohibitions Against Storing Payment-Related Data. Under a new section to be added to the Civil Code, persons or businesses who sell goods or services and accept credit or debit card payments would be prohibited from storing payment-related data unless that person or business stores and retains the data in accordance with a payment data retention and disposal policy that limits retention of the data to only the amount of time required for business, legal and regulatory purposes. In addition, A.B. 1710 imposes further restrictions on the retention and storage of certain sensitive authentication information, such as social security numbers, drivers’ license numbers and PIN numbers.
- Authorization of Civil Penalties. As amended by A.B. 1710, the Civil Code would authorize a prosecutor to bring an action in response to a data breach incident to recover civil penalties of up to $500 per violation, or up to $3,000 for a willful or reckless violation.
Historically measures like A.B. 1710 have faced a difficult road. Similar bills passed by the California legislature were vetoed twice by Governor Schwarzenegger, and the proposal of A.B. 1710 has already caused the California Retailers Association to speak out against the bill. However, there may be a critical difference in the current climate because consumer awareness of the danger and reality of breach incidents has never been higher and, as shown by the recent Harris Poll, consumers overwhelmingly believe that merchants are to blame.