A proposed California law, the Consumer Data Breach Protection Act (A.B. 1710),1 has the potential to upend the calculus of determining liability after retail data breaches, create additional data security requirements for retailers and other consumer-facing businesses operating in California, and establish new standards for data breach reporting for breaches affecting California residents. The bill, introduced by California State Assemblymen Bob Wieckowski and Roger Dickinson in February 2014 and currently pending before the California Assembly Committee on the Judiciary, may in part represent an effort to respond to the recent data breaches affecting Target Corp. and Neiman Marcus Ltd., and aims to strengthen one of the most prescriptive state statutes already in existence.
The heightened concern over data privacy in recent months might enable the passage of the bill, which is a variation of past bills that were vetoed by former Governor Arnold Schwarzenegger.2 If passed, A.B. 1710 would place California alongside Washington, Minnesota, and Nevada as the states mandating particular data security provisions with respect to payment card data,3 and would increase the data breach reporting requirements and liability associated with breaches for entities doing business in California.
Data Breach Liability
In large part, A.B. 1710 has received considerable press attention because it has the potential to shift many of the costs associated with data breaches to retailers or other customer-facing businesses and away from financial institutions. A.B. 1710 would apply to any “person or business conducting business in California that owns or licenses computerized or noncomputerized data that contains personal information.” Such businesses, which include large retailers, in many cases have already borne the burden of providing notice to affected consumers, but typically have not had responsibility for costs associated with issuing new credit or debit cards. Under A.B. 1710, these businesses would bear the costs for both components of a data breach response if they are the party responsible for the loss of data pertaining to California residents.
Under A.B. 1710, certain costs in data breach response would shift to customer-facing businesses, although card issuers and financial institutions would still maintain responsibility for covering certain losses arising from the use of stolen card data. First, consumer-facing businesses would carry the liability for reimbursement of “all reasonable and actual cost[s]” for providing notice following a data breach and for replacing the affected debit or credit cards. There is, however, a safe harbor that excuses this liability, in whole or in part, if the relevant business “can demonstrate compliance with specified provisions at the time of the breach.” Second, consumer-facing businesses would also bear the responsibility for offering to provide “appropriate” identity theft prevention and mitigation services, such as credit monitoring, at no cost to potentially affected consumers for a period of not less than 24 months. Historically, many companies have opted to provide credit monitoring or similar services where the potential for harm to consumers existed; this approach would be mandatory, at least with respect to California residents, under A.B. 1710. It does not appear, however, that A.B. 1710 as drafted would alter the existing statutory liability scheme that allocates the cost to financial institutions for payments made on cards reportedly stolen or hacked; losses to consumers in such circumstances are capped at the federal level by the Fair Credit Billing Act (FCBA)4 and the Electronic Funds Transfer Act (EFTA)5 for credit cards and debit cards, respectively.
Beyond the provisions concerning the reimbursement of costs, A.B. 1710 would authorize civil actions by affected individuals against businesses that suffer a data breach, and would permit public prosecutors to commence actions to recover a civil penalty of up to $500 per violation, or up to $3,000 per violation for willful, intentional, or reckless violations. These liability provisions apply broadly to the California data breach statute, and not simply to the provisions created under A.B. 1710. They have the potential to reinvigorate post-data breach litigation and could expose businesses to significant class action claims or prosecutions.
Enhanced Data Security Measures
A.B. 1710 also imposes more stringent requirements on retailers’ data security practices. Under the bill in its current form, businesses that accept credit card, debit card, or other similar payment mechanisms would be prohibited from doing the following:
- Storing payment-related data, unless the business has in place—and follows—a data retention and disposal policy that limits the amount of data stored and the length of time for which such data is stored to the amount and time necessary for business, legal, or regulatory purposes as outlined in the policy
- Storing sensitive authentication data, even if encrypted; such data would include the full data track contents from a payment card or device, the card verification code or similar value, and the personal identification number (PIN) or encrypted PIN block for a card
- Storing any sensitive information that is not needed for business, legal, or regulatory purposes
- Storing other sensitive payment-related data, including payment verification codes or values, PIN numbers, Social Security numbers, or driver’s license numbers
- Retaining the primary account number associated with a payment mechanism, unless it is retained in compliance with the law and is stored in a form that is “unreadable and unusable” to unauthorized persons
- Sending payment-related data over open, public networks unless the data is encrypted using strong cryptography and security protocols, or is otherwise rendered indecipherable
- Failing to limit access to payment-related data to those employees whose job requires such access
Compliance with all of the above provisions would serve to excuse partial or full liability from costs associated with providing notice and issuing new credit or debit cards. As currently drafted, however, the retailer would still be responsible for the costs of consumer credit monitoring. Additionally, the requirements proposed by A.B. 1710 may come into conflict with existing requirements imposed on retailers by financial institutions and card issuers, including requirements to store payment data for certain purposes and authorization data to defend against chargebacks. Reconciling these rules will likely be an important part of the legislative process in which card issuers and financial institutions provide input to synchronize the requirements placed on consumer-facing businesses.
Other Provisions of A.B. 1710
In addition to the liability-shifting and retailer requirements described above, A.B. 1710 would limit actions that persons or businesses may take with respect to individuals’ Social Security numbers. Existing law currently prohibits persons or entities, with few exceptions, from publicly posting or displaying Social Security numbers, or from taking other actions that might compromise the security of Social Security numbers, unless required by federal or state law. A.B. 1710 would prohibit anyone within California from selling, advertising for sale, or offering to sell an individual’s Social Security number.
A.B. 1710 would also remove the encryption safe harbor from California’s data breach notification statute. In its current form, disclosures of breaches must be made where “unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”6 The word “unencrypted” would be removed under A.B. 1710, which would have the likely effect of increasing the number of reportable breaches in California.
Another minor change under A.B. 1710, but one with implications for entities that maintain paper documents, is the expanded scope of California’s data breach notification law to include breaches implicating non-computerized data. Entities that experience a data breach are not currently obligated to provide notice relating to data breaches involving paper files; under A.B. 1710, notice would be required. If this proposed change comes into effect, companies that maintain physical copies of documents containing personally identifiable information should ensure that robust records management and destruction policies are in place to avoid a reportable breach involving those physical documents.
A.B. 1710 would also expand the manner and timing in which a business must provide notice to affected California residents following a data breach. Current law requires that any entity experiencing a breach must “disclose a breach of the security of the system following discovery or notification of the breach” and that “[t]he disclosure shall be made in the most expedient time possible and without unreasonable delay . . . .” A.B. 1710 proposes that entities provide notice “within 15 days of the breach,” but does not remove the existing language regarding providing notice “in the most expedient time possible and without unreasonable delay.” Thus, A.B. 1710 would likely require notification as soon as reasonably possible but in no event later than 15 days after the breach. A.B. 1710 provides mechanisms by which such notification must occur: (a) email notice if the entity has an email address on record for the affected individual; (b) conspicuous posting on the entity’s website for at least 30 days; and (c) notification to “major statewide media.”7 As currently drafted, A.B. 1710 would require an entity experiencing a breach to engage in all three actions, and previously accepted means of notice, including the mailing of letters to consumers, would not be deemed sufficient notice.
The Legislative Context
A.B. 1710 has drawn strong opposition from retailers and other consumer-facing businesses. California Retailers Association president Bill Dombrowski, whose organization represents nearly three million California workers (approximately one-fifth of the California workforce), argues that the bill “arbitrarily assesses financial penalties on the retailer” rather than allowing the affected parties to resolve the incident and allocate responsibility.8 Dombrowski has stated that “it’ll be a big fight, a tough fight” for the bill to be enacted.9 It has been suggested that the California Retailers Association’s opposition, along with lobbying from the Chamber of Commerce and Bankers Association, has played a role in the failure of previous bills.10
It is not clear, however, that the same coalition will oppose A.B. 1710, as banks and other financial institutions are increasingly being called to cover costs relating to large data breaches. Financial institutions are now in a place where their industry has called on lawmakers to develop more stringent standards for data security. Recently, as a result of steep losses following data breaches, credit unions have begun pushing for Congress to adopt stronger cybersecurity laws to mandate federal data security standards, joining other financial institutions and major technology firms in seeking to set federal baselines for data security.11 Although A.B. 1710 would not remove all breach remediation costs from financial institutions and card issuers, it would likely be a boon to financial institutions that have suffered losses as a result of reissuing cards where breaches exposed credit card or debit card data. This would be particularly true if other states followed California’s example, as has occurred previously with data breach notification and other data-security-related laws.
The introduction of A.B. 1710 also comes at a time when California has aggressively sought to protect the privacy and data security of its residents. In February, the Office of Attorney General Kamala Harris issued a report, entitled “Cybersecurity in the Golden State,”12 focused on improving business data security protections and enhancing responses to malware, data breaches, and other information security risks. According to the report, the Office of the Attorney General received reports of 131 data breaches affecting an aggregated 2.5 million Californians in 2012, half of which may have been preventable if companies had used stronger or stricter encryption procedures when transmitting information.13 Attorney General Harris has also begun a stronger enforcement effort relating to data security and privacy, and the California Department of Justice now staffs a Privacy Enforcement and Protection Unit dedicated to privacy education and enforcement.
1 “Consumer Data Breach Protection Act,” California Assembly Bill 1710, 2013-2014 Cal. Leg. Session, available at http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201320140AB1710.
2 See, e.g., Assemb. 779 Veto Message, 2007-2008 Leg., 2007-2008 Sess. (Cal. 2007), available at http://www.leginfo.ca.gov/pub/07-08/bill/asm/ab_0751-0800/ab_779_vt_20071013.html. A.B. 779 had received unanimous backing in the Assembly, but Governor Schwarzenegger cited PCI DSS standards and marketplace risk-allocation measures in vetoing the legislation. See also Dan Kaplan, “Schwarzenegger Shoots Down California Data-Protection Bill,” SC Magazine, October 15, 2007, http://www.scmagazine.com/schwarzenegger-shoots-down-california-data-protection-bill/article/57998/.
3 See RCW Ch. 19.255 (Washington law incorporating concepts from PCI DSS for data security standards); Minn. Stat. § 325E.64 (Minnesota Plastic Card Security Act prohibiting retention of certain card data for more than 48 hours after authorization of a transaction); Nev. Rev. Stat. Ch. 603A (incorporating PCI DSS standards by reference for compliance with state law).
4 Fair Credit Billing Act, Pub. L. No. 93-495 (as amended), codified at 15 U.S.C. § 1601 et seq.
5 Electronic Funds Transfer Act, Pub. L. No. 95-630 (as amended), codified in scattered sections of 12 U.S.C. ch. 3 and 15 U.S.C. ch. 41.
6 Cal. Civ. Code § 1798.82.
7 The term “major statewide media” is undefined by the bill.
8 See Kira Lerner, “Calif. Bill Would Make Retailers Liable in Data
Breaches,” Law360.com, April 7, 2014.
9 See Marc Lifsher, “Making Retailers Liable for Damages from Hacking,” Los Angeles Times, April 6, 2014.
10 See Kaplan, “Schwarzenegger Shoots Down California Data-Protection Bill.”
11 See, e.g., Andrew Ramonas, “Make Cybersecurity Laws a Priority, Credit Unions Plead,” Corporate Counsel, April 21, 2014.
12 California Office of Attorney of General, Cybersecurity in the Golden State, February 2014, available at https://oag.ca.gov/cybersecurity.