Not to be outdone by Florida, California has yet again amended its data security breach law and again in groundbreaking (yet confusing) fashion. On September 30, 2014, California Governor Brown signed into law a bill (“AB 1710”) that appears to impose the country’s first requirement to provide free identity theft protection services to consumers in connection with certain data security breaches. The law also amends the state’s personal information safeguards law and Social Security number (“SSN”) law. The amendments will become effective on January 1, 2015.
Free Identity Theft Protection Services Required for Certain Breaches
Most significantly, AB 1710 appears to amend the California breach law to require that a company offer a California resident “appropriate identity theft prevention and mitigation” services, at no cost, if a breach involves that individual’s name and SSN, driver’s license number or California identification card number. Specifically, AB 1710 provides, in pertinent part, that if a company providing notice of such a breach was “the source of the breach”:
an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached.
The drafting of this requirement is far from clear and open to multiple readings. In particular, the use of the phrase “if any” can be read in multiple ways. For example, the phrase “if any” can be read to modify the phrase “appropriate identity theft prevention and mitigation services.” Under this reading, the law would impose an obligation to provide free identity theft protection services if any such services are appropriate. The phrase “if any,” however, could be read to modify the “offer” itself. Under this alternate reading, the law would provide that if a company intends to offer identity theft protection services, those services must be at no cost to the consumer. It is difficult to know how the California Attorney General (“AG”) or California courts will interpret this ambiguity. One thing is clear: until the AG or courts opine, the standard will remain unclear.
The drafting of the requirement also is not clear in other ways. For example, the statute does not specify what type of services would qualify as “appropriate identity theft prevention and mitigation services.” For example, would a credit monitoring product alone be sufficient to meet the requirement? Or would the law require something in addition to credit monitoring, such as an identity theft insurance element?
Nonetheless, state AGs historically have encouraged companies to provide free credit monitoring to consumers following breaches. In addition, even though not legally required, free credit monitoring has become a common practice, particularly for breaches involving SSNs and also increasingly for high-profile breaches. Nonetheless, California appears to be the first state to legally require that companies offer some type of a free identity theft protection service for certain breaches.
AB 1710 is particularly notable in its approach. First, the offer of free identity theft protection services will only be required for breaches involving SSNs, driver’s licenses or California identification card numbers. In this regard, an offer of free identity theft protection services will not be required for breaches involving other types of covered personal information, such as payment card information or usernames and passwords. This approach endorses a position that many companies have long held—that credit monitoring is appropriate only when the breach creates an actual risk of new account identity theft (as opposed to fraud on existing accounts). In addition, the offer of free identity theft protection services will only be required for a period of one year (as opposed to, for example, two years). The length of the offer of free credit monitoring has always been an issue of debate, and California has now endorsed a position that a one-year offer is sufficient.
Service Providers Directly Subject to Safeguards Requirements
AB 1710 also amends the California personal information safeguards law to impose the state’s safeguards obligations directly on entities who “maintain” information, even if they do not own that information. The state’s safeguards standard historically required companies that “own or license” covered personal information about California residents to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information” in order to protect the personal information from unauthorized activity. The existing standard did not apply directly to third parties, such as service providers, that maintain information, but do not own it. Instead, the existing standard required that owners of personal information contractually require nonaffiliated third parties to whom they would disclose such information to take steps to protect the information.
AB 1710, however, specifically amends the safeguards law to impose its reasonable security procedures and practices standard directly on entities that “maintain” covered personal information, even if they do not “own or license” the data. Moreover, AB 1710 eliminates the requirement to pass-through security obligations by contract to certain third parties. Specifically, AB 1710 provides that the third-party contract requirement does not apply to a company that provides covered personal information to a third party that will now be directly subject to the safeguards standard (i.e., a third party that “maintains” covered personal information). As a result, the third-party contract requirement would appear to apply only when a company discloses covered personal information to a nonaffiliated third party that will handle such data, but not “maintain” it.
New Prohibition on Sale of SSNS
Finally, AB 1710 amends the California SSN law to prohibit any person from selling, advertising for sale or offering to sell an individual’s SSN. Moreover, AB 1710 specifically provides that the “[r]elease of an individual’s [SSN] for marketing purposes is not permitted.” This new prohibition on the sale of SSNs, however, will not apply: (1) if the disclosure of the SSN is incidental to a larger transaction and is necessary to identify the individual in order to accomplish a legitimate business purpose; or (2) for a purpose specifically authorized or allowed by federal or state law. Although AB 1710’s limitation on the sale of SSNs is unique among the many state SSN laws, other state SSN laws do include similar prohibitions, such as the Alaska, Minnesota, North Carolina, South Carolina and Vermont laws.
Practical Implications for Businesses
The California requirement regarding free identity theft protection services for certain breaches adds yet another layer of complexity for a company that suffers a breach. Companies should be prepared to make difficult decisions regarding how to implement the new requirement. For example, companies should consider:
- Until further guidance is provided by the AG or courts, how will your company interpret the language of the requirement? For example, will your company take the position that AB 1710 does not actually impose a requirement to offer free identity theft protection services?
- What type of “appropriate identity theft prevention and mitigation” services will your company offer when it believes such an offer is required?
- In the event of a breach involving information regarding residents of multiple states, including California, will your company extend an offer of identity theft protection services to residents of states other than California?
- Will your company offer identity theft protection services in connection with breaches involving personal information other than SSN, driver’s license number or California identification card number?
- When your company offers free identity theft protection services, will it provide the offer only for one year? Are there circumstances in which your company will extend an offer for a longer period?
As has been historically true, other states may follow California’s lead. As a result, it will be important to monitor state legislative developments, and if a state imposes a similar requirement, determine if it follows a risk-based approach similar to AB 1710.
In addition, companies that provide services to others that involve maintaining personal information relating to California residents that is maintained but not owned should be aware that they will be directly subject to the requirements of the California safeguards law. Before AB 1710’s new requirements become effective, such companies should take a fresh look at their security procedures and practices and consider whether they are appropriate and would comply with the California safeguards requirement.