Prompted by data breaches affecting large retailers in the United States, the California legislature recently passed Assembly Bill 1710 (A.B. 1710) to update the state’s breach notification law to require breached entities to provide free credit monitoring services to affected individuals following certain types of data breaches. This change, effective January 1, 2015, was recommended by the California Attorney General’s Office in its 2013 Data Breach Report. The Attorney General’s Office recently published its 2014 Data Breach Report, and its recommendations provide insight into the office’s enforcement priorities. The recommendations may also find their way into California law.
California Breach Notification Statute
California has been a leader in providing privacy-related protections to its citizens. Like most states, California enacted a breach notification statute which requires businesses that own or license computerized data to provide notice to affected individuals in the event of a breach involving their personal information.1 The statute requires that the notice to affected individuals contain certain content2 and be sent “in the most expedient time possible and without unreasonable delay.”3 A business may also need to notify the California Attorney General if the breach affects more than 500 California residents.4
The state has regularly expanded its breach notification statute to cover additional types of information and to require notification of the Attorney General in some instances.5 The latest statutory update may obligate some businesses victimized by a data breach to provide free credit monitoring services to affected individuals for one year. The revised statute states:
If the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed [social security number, driver’s license number, or California identification card number].6
The practical effect of this statutory update is somewhat unclear, because most businesses affected by a breach already provide one year of free mitigation services, and the ambiguity in the statutory language may mean the requirement only applies in a very narrow set of circumstances.
The Amendment May Require What Most Businesses Already Do. Many businesses already voluntarily provide free identity theft prevention and mitigation services (e.g., credit monitoring) to affected individuals after a breach. According to the California Attorney General’s 2014 Data Breach Report, over 70 percent of the entities that experienced a breach involving the social security numbers or the driver’s license numbers of California residents voluntarily offered to provide access to a free mitigation service for at least one year.7
The Amendment Seems to Apply to Narrow Circumstances. The new statutory language may apply only in narrow circumstances. The new requirement seems to apply only to an entity that both: (1) is statutorily required to notify individuals of a breach; and (2) is the source of the breach. Under the California statute, only the data owner or licensor has the obligation to notify individuals of a breach. Entities that maintain data on behalf of other entities, typically vendors and services providers, do not have the obligation to notify individuals.8 Therefore, the new requirement would seem to apply only to data owners and licensors and not to vendors and service providers.
The second factor for determining whether an entity must provide free mitigation services is whether the entity was the “source of the breach.” The statute does not define the term “source of the breach,” but the use of this language may significantly narrow the applicability of the requirement. Commonly, businesses use vendors and service providers to maintain their data. When such data is breached at a vendor or while being transmitted by a vendor, the vendor may be the “source of the breach.” In the instance of the Target breach, an HVAC vendor did not maintain or have access to any of the breached data, but malware affecting the vendor also infected Target’s computer network leading to Target’s data breach. In that case, the vendor may have been the “source of the breach.” In both of these examples, the statute may not require the provision of free mitigation services because the vendor, possibly the source of the breach, is not the entity required to provide notice to affected individuals.
The new statutory requirement to provide a free mitigation service may apply only when the breached entity is holding the breached data, it is the owner or licensor of the data, and its vendors and service providers were not the source of the breach. Thus, the new requirement may only apply to a narrow set of circumstances.
The Amendment is Grammatically Ambiguous as to What is Required. There is a grammatical argument that the statute requires an entity to provide free mitigation services for one year only after the entity has already voluntarily chosen to provide such services. Under this interpretation, businesses are not statutorily required to provide access to the mitigation services. Some commentators, however, have taken the position that the statute requires an entity to provide the free mitigation services if it is statutorily required to notify individuals of a breach and it is the source of the breach.
The statute’s lack of clarity likely creates a situation where businesses that experience a data breach involving social security numbers, driver’s license numbers, or state identification numbers will not know if they must provide free mitigation services. Businesses that otherwise may not provide mitigation services in the event of a breach will need to perform a risk evaluation based on the circumstances of the breach to determine whether to provide these services at no cost to affected individuals, which add time and costs to breach responses.
Other Related Statutory Updates. California also updated other data-related protections through A.B. 1710. California already required owners and licensors of personal information to implement and maintain reasonable security procedures and practices.9 The legislation expanded this security requirement to also cover businesses that maintain personal information. The statute defines “maintain” to cover situations where the business does not own or license the personal information. This change could extend the data security requirement to vendors and service providers that handle personal information for their customers.
A.B. 1710 also updated the California statute applicable to a person or businesses’ use of social security numbers. The original statute prohibited individuals and businesses from publicly posting or displaying social security numbers and imposed certain security requirements when requesting or sending a social security number over the Internet.10 The updated statute also prohibits the sale of social security numbers, except when the release of the social security number is part of “a larger transaction and is necessary to identify the individual in order to accomplish a legitimate business purpose.”11 Under the updated statute, businesses likely may continue to sell data assets as part of a merger or other business change and process transactions that require the disclosure of social security numbers. However, the sale of social security numbers with no other purpose, such as in the instance of a hacker selling the payload of a data breach, likely would violate the statute.
The original proposed A.B. 1710 was narrowed considerably in the legislature after strong opposition from retailers and other consumer-facing businesses.12 It remains to be seen whether the bulk of the original bill will be resubmitted to the legislature following reports of more breaches at large retailers.
2014 California Data Breach Report
The California Attorney General’s Office released its latest Data Breach Report in October 2014.13 Like the previous report, the 2014 report provides analysis of data breaches reported to the Attorney General’s Office and proposes industry and legislative recommendations. The legislature codified into law two of the five recommendations proposed in the 2013 report.14 Therefore, the new report could be seen as a roadmap to future statutory requirements.
The data breach report publishes findings the California Attorney General considers important, such as the common causes of breaches. The report indicates that the number of reported breaches increased from the prior year by over 25 percent and the number of records breached increased by over 35 percent (excluding the Target and Living Social breaches that were extreme outliers). Due to the large breaches victimizing Target and Living Social, the retail sector accounted for 84 percent of the total records breached. The common causes of the data breaches reported to the California Attorney General are consistent with global data breach statistics. A slight majority of the breaches involved computer intrusions from outside criminals. The loss or theft of devices accounted for just over 25 percent of the breaches, and unintentional errors accounted for 18 percent of the breaches.
The California Attorney General made twelve recommendations in the report, which are grouped by intended audience and listed below. The recommendations likely indicate the Attorney General’s current enforcement priorities.
- Retail Sector
- Chip-enable point-of-sale terminals. More than 80 countries use chip-enabled payment cards, which are considered more secure than the magnetic stripes used on payment cards in the United States. Empirical evidence indicates that chip-enabled cards greatly decrease fraud in face-to-face card transactions.15
- Encrypt payment card data end-to-end during transactions.
- Tokenize payment card data during transactions.
- Respond and provide affected individuals with notice promptly after a data breach. The report recommends that retailers should have a tested incident response plan and a trained response team in place to improve the quality and timeliness of breach responses.
- Improve notice following breaches of payment card data. The report suggests that retailers providing breach notice should provide more detail about the breach, such as the time period and specific locations of the breach, tell affected individuals about ways they can protect themselves from fraudulent use of breached information, and post a link to the notice on the company’s Internet home page for at least 30 days.
- Retailers and Financial Institutions
- Protect debit cardholders following data breaches. Currently, when data breaches affect debit card accounts, the accounts can have funds stolen and not replaced until after a bank investigation. Moreover, customers are more likely to be liable for stolen funds depending on how quickly the customer notifies the bank of the issue. The report recommends that retailers provide notice to affected individuals explaining that cancelling affected debit cards may be the best way to mitigate harm.
- Healthcare Sector
- Encrypt medical information on portable devices. Breaches involving healthcare-related organizations are usually more harmful, because they commonly involve social security numbers and medical information. Hardware encryption could prevent or mitigate many of the breaches because most breaches involve lost or stolen devices.
- All Industries
- Conduct annual data security risk assessments and update privacy and security practices based on findings.
- Encrypt portable devices and personal information during transit.
- Improve readability of any breach notices. The report suggests that breach notices are written at a college level, instead of the average adult reading level.
- California Legislature
- Amend the breach notification statute to: (1) strengthen the substitute notice provision that commonly is used in large breaches; (2) clarify the roles and responsibilities of data owners and data maintainers in the event of a breach; and (3) require a final breach report to the California Attorney General.
- Collect funds to help small businesses upgrade point-of-sale systems.
California updated its breach notification law in a way that could require the provision of free mitigation services to data breach-affected individuals. However, the statutory language and the current business practices of organizations already providing these free services when they are involved in breaches may mean that the updated statute may not make much practical difference to individuals affected by breaches.
The 2014 Data Breach Report demonstrates the California Attorney General’s concerns related to the data breaches involving retailers and other industry sectors. These concerns are areas the Attorney General will likely continue to monitor closely for possible investigations, and the associated recommendations could ultimately be codified into law by the California legislature. Therefore, businesses may benefit by reviewing the recommendations in the report and considering how they may implement them.
1 “Personal information” is defined as “an individual’s first name or first initial and last name” plus any of the following: social security number; driver’s license number or state ID card number; “account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account”; medical information; or health insurance information. After recent amendments, personal information also includes “a user name or email address, in combination with a password or security question and answer that would permit access to an online account.” Cal. Civ. Code § 1798.82(h); Eye on Privacy, “California Extends Security Breach Notification Requirements to Online Account Credentials,” November 2013, available at https://www.wsgr.com/publications/PDFSearch/eye-on-privacy/Nov2013/index.html#3.
2 Cal. Civ. Code § 1798.82(d).
3 Cal. Civ. Code § 1798.82(a); Eye on Privacy, “Breach Notification: Timing Is Everything,” November 2013, available at https://www.wsgr.com/publications/PDFSearch/eye-on-privacy/Nov2013/index.html#4.
4 Cal. Civ. Code § 1798.82(f).
5 Eye on Privacy, supra note 1; WSGR Alert, “New California Security Breach Notification Requirements to Take Effect January 1,”September 7, 2011, available at https://www.wsgr.com/WSGR/Display.aspx?SectionName=publications/PDFSearch/wsgralert-security-breach-notification.htm; WSGR Alert, “California Expands the Information Subject to Security Breach Notification Requirements,” December 28, 2007, available at https://www.wsgr.com/WSGR/Display.aspx?SectionName=publications/PDFSearch/clientalert_securitybreach.htm.
6 California Assembly Bill No. 1710 (2014).
7 California Department of Justice, California Data Breach Report 2014 14 (October 2014), available at https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/2014data_breach_rpt.pdf (statistics calculated based on breaches reported to the California Attorney General during the years 2012 and 2013) (hereinafter 2014 Data Breach Report).
8 Cal. Civ. Code § 1798.82(b).
9 Cal. Civ. Code § 1798.81.5(b).
10 Cal. Civ. Code § 1798.81.5(b).
11 Cal. Civ. Code § 1798.85(a)(6).
12 Eye on Privacy, “Proposed California Law Would Impose Data Breach Liability on Retailers and Create More Stringent Data Security Requirements for Businesses,” July 2014, available at https://www.wsgr.com/publications/PDFSearch/eye-on-privacy/Jul2014/index.html.
13 2014 Data Breach Report, supra note 7.
14 California Department of Justice, Data Breach Report 2012 (2012), available at http://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/2012data_breach_rpt.pdf (making the following recommendations: (1) encrypt personal information in transit; (2) review and update security controls; (3) improve breach notice readability; (4) offer mitigation products to victims of data breaches involving social security numbers or driver’s license numbers (codified into law); and (5) legislation to include online account credentials as personal information in breach notification statute (codified into law)).
15 See Douglas King, “Chip-and-Pin: Success and Challenges in Reducing Fraud,” Retail Payments Risk Forum, January 2012, available at https://www.frbatlanta.org/-/media/Documents/rprf/rprf_pubs/120111wp.pdf.