Although not legally required to do so, businesses that experience a data breach often provide free credit monitoring or identity theft prevention services to affected consumers. Offering these services can assist potentially affected consumers, help to rebuild a business’s relationship with its customers, and may mitigate potential damage to consumers caused by misuse of their personal information. But at the end of the day, it is generally the business’s decision whether to incur the costs of these services on top of other breach-related costs. That discretion may be about to disappear. Recent high- profile data breaches have prompted legislators at both the state and federal levels to introduce legislation that would impose a variety of new requirements in the event of a breach. Although these new laws differ in many respects, one emerging trend is the codification of a requirement that businesses offer free credit monitoring or identity theft prevention services to affected consumers.
At the federal level, such a requirement is one of the key features of the Data Security and Breach Notification Act of 2014, S. 1976, introduced in the Senate on January 30, 2014. This bill would, among other things, require businesses that suffer a data breach to provide affected consumers in many circumstances with a free credit report upon request, and to continue to provide free credit reports on a quarterly basis for two years thereafter. The Senate has yet to take any action concerning this bill.
In addition, several states have introduced legislation echoing the Senate bill. For example, on February 10, 2014, bill NJ A2480 was introduced in the New Jersey Assembly. Similar to the Senate bill, NJ A2480 would impose on any business required to provide notice of a data breach incident an obligation to pay for affected customers to receive a monthly credit report for at least a year. Customers would have a six-month window following notification of the breach in which to request these free credit reports. NJ A2480 is currently under consideration by the New Jersey Assembly Consumer Affairs Committee.
Shortly after the New Jersey bill was introduced, similar legislation was introduced in both Rhode Island and Minnesota to modify those states’ respective breach notification laws. Unlike the Senate and New Jersey bills, however, both the Rhode Island bill (2014 H7519) and the Minnesota bill (H.F. 2253) would require businesses to provide credit monitoring services, rather than simply provide free credit reports. More specifically, both bills would mandate that businesses required to provide notice of a data breach also provide one year of free credit monitoring to individuals whose personal information was taken, or reasonably believed to have been taken, as part of the breach. H.F. 2253 was referred to the Minnesota House of Representatives Commerce and Consumer Protection Finance and Policy Committee on February 25, 2014. On March 4, 2014, the Rhode Island House Judiciary Committee recommended that 2014 H7519 be held for further study.
In California, legislators have taken a slightly different approach. There, new data breach legislation was introduced on March 28, 2014, in the form of amended A.B. 1710. Rather than require credit reports or credit monitoring, A.B. 1710 would require businesses that suffer a data breach to offer “appropriate identity theft prevention and mitigation services.” These services which are not defined in the bill — would have to be offered at no cost to affected consumers for at least two years if the data breach exposed the consumer’s name in combination with a social security number, a driver’s license number, or California identification card number. The California Assembly passed A.B. 1710 on May 27, 2014, and the bill is currently being considered by the California Senate. Shortly after taking up the bill, the Senate amended it to reduce the length of time that identity theft prevention and mitigation services must be provided to one year.
Florida legislators have added a further twist in the form of the newly enacted Florida Information Protection Act of 2014. That law, which took effect on July 1, 2014, does not require businesses that suffer a data breach to offer free credit monitoring or identity theft prevention services. Rather, it requires businesses to notify Florida’s attorney general as to whether free credit monitoring, identity theft, or any other “services related to the breach” are, or will be, offered to affected consumers. Although businesses do retain discretion as to whether to offer free services in the wake of a breach, having to discuss the matter with the attorney general does create an incentive to provide them.
It remains to be seen how many of the aforementioned bills will be passed into law or whether other states will try to introduce similar requirements. One thing is clear — legislators are no longer willing to leave it up to businesses to decide whether to offer free credit monitoring or identity theft prevention services to consumers affected by a data breach. Going forward, the costs of providing such services may become an unavoidable cost in every data breach incident.