The California Legislature is considering enacting Assembly Bill 1859 ("AB 1859"), which would impose substantial new security obligations on consumer credit reporting agencies and companies that contract with such agencies. Under AB 1859, credit reporting agencies and their contractors would be required to expediently apply software updates to their systems, proactively identify and address vulnerabilities, and regularly test their systems. A credit reporting agency or contractor that fails to take these steps and subsequently suffers a data breach could be liable for civil penalties, damages and attorney's fees.
Overview of Proposed Legislation
The proposed legislation creates a specific set of obligations and penalties aimed at mitigating the harm caused by data breaches involving consumer credit information. Under AB 1859, a consumer credit reporting agency or contractor that owns or maintains the personal information of a California resident is required to apply software updates to address vulnerabilities. Specifically, the proposal adds Section 1798.81.6 to the California Civil Code, which mandates that credit reporting agencies and contractors apply software updates addressing a vulnerability within three business days of discovering it and take reasonable steps to mitigate the risk of a breach until such updates are applied. If a credit reporting agency or contractor fails to take these steps and suffers a breach, California residents whose information is affected are deemed to have suffered an injury in fact and are entitled to recover civil penalties, damages and attorney's fees.
California Civil Code Section 1798.84 sets the maximum civil penalties that can be recovered at $3,000 for each willful, intentional or reckless violation. For other violations, California residents can recover up to $500 per breach. Currently, this section establishes the penalties for other types of security breaches and unauthorized disclosures and creates a system under which potential penalties can be predicted with some level of accuracy. However, as discussed below, the proposed legislation seeks to upend this system by expanding liability to credit reporting agencies and their contractors, imposing new obligations and allowing affected California residents to recover more than mere civil penalties.
Notable Obligations and Liability Under AB 1859
Likely responding to the much-publicized 2017 Equifax data breach, AB 1859 changes the existing legal landscape in several significant ways that are more expansive than previous legislative proposals in California and other states. Most notably, it is formulated to:
- Apply to both consumer credit reporting agencies as well as entities that contract with consumer credit reporting agencies and maintain information about California residents on behalf of such agencies.
- Require credit reporting agencies and contractors to patch known vulnerabilities within three business days of discovery.
- Require credit reporting agencies and contractors to "identify, prioritize, and address the highest-risk security vulnerabilities most quickly" to reduce the likelihood they will be exploited.
- Require credit reporting agencies and contractors to "test the impact of mitigation measures and software updates . . . and how they effect [sic] the vulnerability of the system to threats."
- Allow affected California residents to recover damages in addition to civil penalties and attorney's fees for "each breach."
Taken together, these changes expose a whole new class of companies to security obligations and liability if they suffer a breach. Consumer credit reporting agencies, as well as any company that contracts with these agencies or uses credit reporting information, could face substantial consequences for failing to update and test their systems. These companies would also be required to proactively identify and address vulnerabilities, regardless of their size and in-house capabilities. AB 1859 thus creates a new regime under which credit reporting agencies and contractors alike will have to devote more time and resources to compliance and face greater and less predictable consequences if they suffer a potential breach.
Implications and Next Steps
As of the writing of this alert, AB 1859 is currently on the Assembly Floor and could be voted on this week. Although it would still have to pass through the California State Senate and be signed by Gov. Brown, companies that deal with credit reporting information should take notice now. The bill represents an aggressive response to what many states perceive as a failure to hold credit reporting agencies and their contractors accountable for securing their systems and addressing vulnerabilities. If AB 1859 becomes law, it could serve as a model for other states to follow and fundamentally change how risk and liability is allocated in industries that utilize credit reporting information. Perhaps just as important, it may lead to significant penalties for the unwary.