As public awareness of large data breaches increases, so do the regulatory stakes. California’s AB 1710, signed into law on September 30, 2014, builds on existing California data breach legislation and expands the requirements to potentially encompass thousands more businesses across the country.

AB 1710 makes three major changes to the current data breach laws in California:

  1. Requires businesses that maintain Personal Information about California residents (whether or not they own such information) to implement and maintain appropriate and reasonable security procedures and practices to protect Personal Information from unauthorized access, destruction, use, modification, or disclosure;
  2. Requires that if a person or business “was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed [Personal Information];”
  3. Prohibits businesses from selling, offering for sale, or advertising for sale social security numbers unless the sale is part of a legitimate business transaction or is specifically authorized or allowed by federal or state law.

Personal Information includes the individual’s first name or first initial, and last name, with information such as the individual’s social security number, medical information, financial account information or drivers license number.

Requirement number two of the new law creates some ambiguity due to the words “if any.” The California legislature did not clarify whether the requirement to provide one year of free identity theft prevention and mitigation services applies to all data breaches, or only to people and businesses that already offer such services. Further guidance will be needed to clarify the requirement.

Because the California law applies to any business that maintains Personal Information on a California resident, the law will impact businesses located outside California. Until a Federal or model state law is passed, businesses can expect more variations and modifications to the landscape of data breach laws. It is important for companies to stay current on developments in this area in order to meet their obligations.