It is hard to miss the number of high-profile security breaches in the news lately. In response to these breaches, many states are now implementing legislation to help consumers whose personal information is exposed. It is unclear whether this new legislation is helping the problem or simply muddying the waters until a uniform federal breach requirement is implemented.
California is the most recent state to up the ante, with Governor Jerry Brown signing into law AB 1710 on September 30, 2014. AB 1710 builds on the existing California data breach legislation and expands the requirements to potentially encompass thousands more businesses across the country. Due to vague wording in the final draft of the bill, however this legislation may do little more than solidify what many companies already have in practice.
AB 1710 sets forth three major changes to the current data breach laws in California:
- Requires businesses that maintain Personal Information of California residents to "implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the Personal Information from unauthorized access, destruction, use, modification, or disclosure;"
- Requires that "if a person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed personal information…;"
- Prohibits businesses from selling, offering for sale, or advertising for sale social security numbers unless the sale is part of a legitimate business transaction or is specifically authorized or allowed by federal or state law.
While California had already required certain businesses to implement security procedures, this requirement was previously only for businesses that "own" or "license" personal information about California residents. Personal Information includes the individual's first name or first initial and last name, along with sensitive information such as the individual's social security number, medical information, financial account information or drivers license number. By expanding the requirement to businesses that "maintain" personal information, many more businesses around the country are now swept in.
While obligations 1 and 3 are relatively straightforward, the confusion lies in the interpretation of requirement number 2. By inserting the words "if any" into the statute, California has introduced ambiguity, and two schools of thought have emerged. The first side argues that this language means that persons or businesses that are subject to a data breach involving SSNs, drivers license numbers, or California ID numbers must provide one year of credit monitoring services at no cost to those individuals affected. The other side argues that the "if any" language means this requirement only affects those persons and companies that are already offering these credit monitoring services, and thus only makes it necessary for those companies to continue that service for one year without cost to the affected individual. Further guidance will be needed to clarify the requirement.
While there remains uncertainty, what we can learn from AB 1710 is that until a Federal or model state law is passed, the landscape of the country's breach notification laws will remain in a state of flux and confusion. It is nonetheless important for companies to stay apprised of the current laws, and the interpretation of those laws, in order to meet their obligations.