On September 30, 2014, California's Governor Brown signed A.B. 1710, a bill establishing new requirements under California's data breach notification statute. The new law adds three provisions to the existing statute, California Civil Code section 1798.81.5: (i) it prohibits the sale, advertisement for sale, or offer to sell an individual's Social Security number, other than as permitted by law; (ii) it extends the requirement to maintain reasonable security practices and procedures to businesses that maintain the personal information of California residents (i.e., data processors and service providers), not only those that own or license such information; and (iii) in the event that the party providing breach notification was the source of the breach, it contains requirements regarding offers to provide identity theft prevention and mitigation services to the person affected by the breach.
The first change is straightforward. With respect to the second, prior to the amendments, only companies that owned or licensed personal information of a California resident were required to implement and maintain reasonable security procedures and practices appropriate to the nature of the information. The statutory imposition of the reasonableness standard on entities that merely "maintain" personal information could be a significant expansion that implicates service providers and the growing number of companies offering "cloud-based" services. The third change already is generating debate and uncertainty over whether it imposes a mandatory requirement for theft prevention and mitigation services, or merely dictates how to do so if a company so chooses. Although the latter reading is more consistent with the plain language, it departs from the original intent of the bill. In any event, the confusion further complicates the already difficult-to-navigate patchwork of varying state laws on data breach notification.
The version of the bill signed by the governor reflects several other significant changes from the original text, which appear to have been made in response to business groups such as the California Retailers Association, California Bankers Association, and the Internet Association. The original bill included provisions that would have required businesses to bear the costs associated with issuing new payment cards in response to a breach of the company's customer data, unless they met safe harbor criteria. It also would have imposed limitations on the storage of consumer data and would have authorized civil actions by individuals against businesses affected by a data breach as well as prosecutions for recovery of statutory penalties. It remains to be seen if these issues are raised again in later bills, and/or in other states.
The law still requires an owner or licensee of personal information to disclose a data breach to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The amendments do not change the obligation of entities that "maintain" personal information to notify the information's owner or licensee of the breach immediately following its discovery (which data owner then may have notification obligations). The law's additional protections for Social Security numbers supplement existing protections that prohibit the public display or posting of a Social Security number, as well as other acts that fail to adequately secure the information, such as requiring the transmission of a customer's Social Security number without encryption.
The amendments reflect incremental change as opposed to the significant change that the original drafters seem to have intended. Nonetheless, they make clear that California will continue to prioritize privacy and data security, and companies doing business here or with California residents should stay up to date on the legal requirements, ensure they are maintaining reasonable security procedures and practices to protect the personal information of California residents from unauthorized access, and confirm that they have an appropriate breach procedure in place. Such a program should include the development, implementation, and maintenance of a vendor compliance assessment, as well as ongoing monitoring.