On September 30, 2014, California Governor Jerry Brown signed into law AB 1710, a bill which expands California’s existing data breach laws. As we discuss in further detail below, the new laws introduce substantive requirements to California’s current data breach law by: (1) prohibiting the sale, advertisement or offer to sell an individual’s social security number, (2) including additional requirements related to identify theft prevention and mitigation services, and (3) requiring business that maintain personal information about California residents to implement and maintain reasonable security measures to protect the personal information of its residents.
This expansion of California’s current data breach laws likely comes on the heels of media reports of data breaches and the alarming number of complaints of identify theft received by federal and state agencies. As we discussed in a previous blog post, Florida has also recently expanded their data breach laws, and we will likely see other states following suit and strengthening their data privacy and security laws. Meanwhile, California remains at the forefront of the development of privacy-related laws.
Protections for Social Security Numbers
AB 1710 amends Cal. Civil Code 1798.85 to increase protection of an individual’s social security number by prohibiting the sale, advertisement for sale, or offer to sell an individual’s social security number with limited exceptions. For example, an exception to AB 1710 includes the release of an individual’s social security number, if the release is incidental to a larger transaction and is necessary to identify the individual in order to accomplish a legitimate business purpose.
Identity Theft Prevention and Mitigation
Cal. Civil Code 1968.82 currently requires entities that own or license certain personal information to notify individuals whose personal information has been involved in a data breach. The new law requires that if any identity theft prevention and mitigation services are already provided, the data breach notification must inform the affected persons that the services will be provided for at least 12 months and at no cost, and must include information on how to obtain those services.1 The addition of “if any” is an important one and one we have seen misreported. Some have suggested that this law is the first law to require credit monitoring – or similar services – be provided if certain data elements were present. This is not the case. The provision of credit monitoring remains optional – albeit a best practice and one often “required” by state attorneys general – and if offered, then certain instructions need be provided as is typically the case.2
Maintenance of Personal Information
Under Cal. Civil Code 1798.81.5, California currently requires businesses that own or license personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information and to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
AB 1710 expands the existing law, now requiring of businesses that merely “maintain” a resident’s personal information to implement reasonable security procedures and practices to protect personal information.3
1 An earlier version of the bill, amended on March 28, 2014, read, “[i]f the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, such as credit monitoring, shall be provided at no cost to the affected person for not less than 24 months…” The final version of the bill added the critical “if any” language, removed the reference to credit monitoring, and shortened the time period to 12 months.
2 That said, we note the ambiguity for the words “if any,” and whether they refer to the availability of credit monitoring services in the marketplace or to whether the business has chosen to offer it. Additionally, the bill’s co-author, Assemblyman Roger Dickinson, stated his view in a recent interview with Law360 that the offer to provide credit monitoring services is mandatory when a driver’s license number or social security number was breached.
3 Under Cal Civil Code. 1798.81.5, “Personal Information” means an individual’s first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted: (a) Social security number; (b) Driver’s license number or California identification card number; (c) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; and (d) Medical information.