On September 30, 2014, California Governor Jerry Brown signed into law an expansion of current California data breach laws. The bill, AB 1710, which was introduced in the wake of several high-profile data breaches, builds on current breach notification requirements applicable to certain companies or individuals engaged in business in California. Specifically, if a person or business providing a notification to an affected person is the source of a breach, the notification shall offer to provide appropriate identity theft prevention and mitigation services at no cost for at least 12 months following the breach. According to the bill's co-author, Assemblyman Roger Dickinson, D-Sacramento, the new credit monitoring requirement is triggered if customers' Social Security numbers or drivers' licenses are breached.
The bill also expands the type of businesses that must implement and maintain reasonable security procedures and practices to protect personal information from unauthorized use, access, destruction, modification or disclosure. Under AB 1710, that requirement, which had applied only to businesses that own or license personal information about a California resident, now extends to businesses that "maintain" such information.
AB 1710 is a watered down version of an earlier proposal that would have restricted how companies can hold on to data, mandated tougher encryption standards and held companies financially responsible for damages caused by a breach. That original bill was opposed by a coalition of business groups that included tech, insurance, retailer and financial groups, as well as the California Chamber of Commerce.
According to the coalition's April 2014 letter to the bill's co-sponsors, that earlier bill "impos[ed] onerous and unneeded data management mandates and creat[ed] new financial liabilities for non-governmental entities that take payment cards (credit and debit cards) or other payment devices. If enacted, AB 1710 would be ineffective and in some ways counterproductive to improving data security in California—it would increase fraud, waste resources that would be better spent on security, and would result in over-notification that would ultimately confuse California consumers." Proponents of more comprehensive legislation have vowed to renew efforts to pass the earlier proposal in the coming year.
As federal data breach notification legislation continues to languish on Capitol Hill, it is likely that more states will continue to enact, modify or toughen their own state requirements. Companies that are in California should ensure their data breach response policies and procedures reflect these new requirements, and should monitor legislative developments for any effort to amend California's current notification laws and encryption standards. Companies not subject to the California requirements should continue to monitor efforts in other states in which they may do business to ensure that onerous requirements that do little to promote better security are not imposed on more businesses. All companies that own, license or maintain personal information—including but not limited to California businesses—have a stake in this new law, as it could set the trend for state legislation with the continued failure of Congress to pass a clear and responsible data breach notification bill.