Entities that own, license or maintain personally identifiable information on California residents beware – on January 1, 2015, an amendment to California’s privacy and breach law goes into effect that may have a significant impact on the way entities respond to data breaches. Starting in January, companies may be required to provide identity restoration or mitigation services, if appropriate, to impacted individuals. The amendment also extends data protection security obligations to entities that maintain personal information about a California resident and prohibits the advertisement of, offer to sell or sale of Social Security numbers, with limited exceptions.
What Does A.B. 1710 Really Mean?
California’s current breach notification law requires any “person or business conducting business in California that owns or licenses computerized data that includes personal information” to notify any resident of California if their personal information was, or is reasonably believed to have been, acquired by an unauthorized individual. Cal. Civ. Code 1798.80 et seq. A.B. 1710, which takes effect in January 2015, appears to require a company that is the source of a breach to provide identity restoration and mitigation services. Specifically, A.B. 1710 provides that “If the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months….” (Emphasis added.) This requirement appears to be triggered only when an individual’s name and their Social Security number, driver’s license number or California identification card number were acquired by an unauthorized individual as a result of a breach.
But what does “if any” truly mean? Is it “if any” services are offered they must be offered at no cost for 12 months? Thus, it would be the company’s choice whether to provide identity restoration or mitigation services. Or is “if any” intended to require businesses to provide identity protection and mitigation services if there is a breach of Social Security numbers or driver’s license/state identification numbers? And what constitutes “mitigation services”? Is information about resources, such as the Federal Trade Commission’s website on identity protection, sufficient? Or does a company actually have to pay for a product for it to be considered to be providing “mitigation services”? While these questions remain, at least one thing is clear: companies that own, license or maintain personal information, regardless of their size, need to make sure reasonable security standards are in place to protect the data and have an incident response plan in place to respond when a security breach occurs.
Review Current Insurance and Third-party Service Provider Coverage
In addition to evaluating their information security protocols and policies, entities that possess the personal information of California residents should review their insurance policies, first to make sure they have cyber insurance that provides data breach coverage, and second to determine if their policies will cover the potentially significant cost associated with notification and identity protection or mitigation services. Some policies may be limited to notification costs or identity protection services, while others may include litigation and regulatory coverage. In the same vein, insurance companies should review their coverage offerings and clarify any ambiguities now to avoid future coverage disputes over what is required to comply with California’s law.
The amendment also expands the requirement for reasonable security standards to include companies that maintain information, in addition to those that own or license such information. This amendment will have significant implications for third-party service providers, vendors and other entities providing services to businesses with personal information of California residents. As noted above, the amendment requires the entity that is the “source of the breach” to provide identity restoration or mitigation services to impacted individuals. While the law does not clarify what “source of the breach” means, companies – including third-party service providers – should carefully consider the impact of this law on business contracts, including the limitation of liability and indemnification clauses. Companies should also ensure that their third-party service providers have proper insurance with sufficient limits to cover a breach of personal information.
The final piece of the amendment to the California law prohibits the sale of, advertising for sale of and offering to sell Social Security numbers. This does not extend to the exchange of Social Security numbers incidental to a larger transaction when necessary to identify the individual for a legitimate business purpose or for a purpose specifically authorized or allowed by federal or state law.
California considers itself a leader among the states when it comes to enacting legislation to protect its citizens, and A.B. 1710 is another example of California raising the expectations for businesses and individuals who interact with its citizens. These entities need to be cognizant of not only California’s new law but also the likely chance that other states will follow suit. In advance of the January 1, 2015, effective date, it is both recommended and a good business practice for these entities to review and update their incident response plans and protocols, along with reassessing their potential risk, and ensuring they are properly covered by insurance.