By: Jean-Paul Cart
On January 1, 2015, California will usher in yet another set of changes to its consumer privacy and data breach notification laws. A.B. 1710 will expand the current statutory requirements for data security and will further complicate California's data breach notification requirements. The news is not all bad for businesses, however, as the final version of A.B. 1710 signed into law by Governor Jerry Brown on September 30 is far more restrained than the original proposal that drew strong criticism from business groups earlier this year.
Businesses that "maintain" personal information must implement reasonable security measures.
Section 1798.81.5(b) of the California Civil Code currently provides that a business that "owns or licenses personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information ..." When it goes into effect in January, A.B. 1710 will expand this requirement to also apply to a business that "maintains" personal information (i.e. a business that possesses, but not does necessarily "own" or "license" personal information). Thus, businesses such as data and information service providers that store, transmit or process personal information will be required to implement reasonable security measures under the revised statute.
This expansion of Section 1798.81.5 may have limited practical effect on current practice. To comply with the current version of the statute, any business that discloses personal information to a third party pursuant to a contract (e.g. for data processing or storage) already must require that third party to implement and maintain reasonable security measures. And a data service provider without reasonable security measures probably cannot compete in today's market in any event. However, California law recognizes a private right of action for any consumer injured by a violation of consumer records laws, including Section 1798.81.5. (This has been the law in California since the legislature added Section 1798.84(b) to the California Civil Code in 2001.) As such, a business that "maintains" personal information and fails to implement reasonable security measures might find itself liable to California residents whose personal information has been compromised. Yet few businesses that "own or license" such information have been sued under the current version of Section 1798.81.5, and data breach plaintiffs generally struggle to convince courts that they have suffered any legally cognizable injury. Thus, a deluge of new claims against data and information service provides seems quite unlikely.
Free identity theft protection is not required upon breach of credit/debit card numbers or medical information; uncertainty remains regarding social security and driver's license numbers.
The original version of A.B. 1710 would have required a business to provide 24 months of free identity theft protection following any data breach involving "personal information" (i.e. social security, driver's license or credit/debit card numbers or medical information). The final version of A.B. 1710 is certainly more business-friendly than the original, in that it clearly does not require free identity theft protection for data breaches involving credit/debit card numbers or medical information. However, it is ambiguous and fails to provide clear guidance to the business community with regard to data breaches involving social security or driver's license numbers.
On January 1, 2015, Section 1798.82(g) will be added to the California Civil Code to state that:
"If the person or business providing the notification [of a data breach] was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed [a California resident's social security or driver's license numbers]."
The ambiguity lies in the words "if any." Under a plain language reading, the legislature's inclusion of "if any" implies that businesses are not required to offer identity theft protection following a data breach, but if they choose to do so, they must meet the no-cost, 12-month and information disclosure requirements set forth in the new law. Under this interpretation, A.B. 1710 seems to do little to further its stated purpose of increasing consumer protection. Another interpretation has been offered by A.B. 1710 co-author Assemblyman Roger Dickson, who recently stated that the legislature intended for the "if any" language to recognize that while a data breach notification is required for all breaches involving personal information, an offer of free identity theft protection is only required when social security or driver’s license numbers have been compromised.
Assemblyman Dickson has already stated that he intends to pursue further amendments to California's data breach notification laws next year. Hopefully, such efforts will yield much-needed clarification. In the meantime, it is clear that businesses will not be required to provide free identity theft protection when only credit/debit card or medical information has been stolen. If social security or driver's license numbers have been compromised, businesses will need to weigh the potential costs of providing free identity theft protection for 12 months compared to the risks and costs associated with a potential violation of this poorly worded revision to Section 1798.82(g).
For more information, please contact any member of Schiff Hardin's Cybersecurity and Data Privacy Client Services Team.