A bill has been introduced in the California legislature that would dramatically increase retailers’ liability for data breaches. Dubbed the “Consumer Data Breach Protection Act,” Assembly Bill 1710 would enact sweeping changes to California’s data breach notification laws, setting short deadlines by which consumers would need to be notified of breaches and increasing the penalties associated with such breaches. AB 1710’s new provisions would apply to all businesses that sell goods or services to California residents and accept credit or debit cards, although the law retains exemptions for certain businesses that are subject to other privacy regulations (such as financial institutions).
The California Retailers Association has already come out in opposition to the bill, and in years past, has successfully fought similar efforts to expand the state’s data breach notification laws. However, given the number of recent high profile data incidents, lawmakers are in a stronger position this year to amend California’s data protection laws. Indeed, as introduced, AB 1710 made only minor nonsubstantive changes to the data privacy laws, but in the wake of various well-publicized data breaches, the bill’s authors substantially amended the bill to increase the “teeth” in the law.
The following briefly summarizes some of the bill’s key proposed changes:
Expands Restrictions on Data Use and Retention. AB 1710 limits retention of “payment-related data” to the amount of time required for “business, legal, or regulatory purposes.” Retention of payment-related data would be prohibited if it is unnecessary for those purposes. The bill also requires businesses to create “payment data retention and disposal” policies specifying the amount of time such data will be retained. The bill prohibits the retention of certain types of data, such as card verification codes, PIN numbers, social security and driver’s license numbers. The bill also forbids the sale of an individual’s social security number. The term “payment-related data” is defined to include all items that fall within the current statutory definition of “personal information,” such as a consumer’s name, social security number, driver’s license number, account numbers, and user name and passwords.
Expands Liability for Data Breaches. AB 1710 would make businesses who maintain data liable to the “owner or licensee” of that data for the costs of providing notice of data breaches, as well as the costs of card replacement as a result of the breach. The statute contains no true “safe harbor” provision excusing businesses from this liability even when their security procedures follow industry best practices, but the bill provides that businesses “may be excused” from liability if they can demonstrate compliance with statutory requirements. The bill also expands liability for violations of California’s data breach notification law by authorizing public prosecutors to seek civil penalties of $500 per violation, or $3,000 per violation in the case of intentional or reckless violations. This is in addition to existing provisions permitting consumers to seek damages, and for certain types of violations, civil penalties. Public prosecutors would also be authorized to seek civil penalties of $500 per violation when a party violates restrictions on the use of social security numbers.
Expands and Speeds Up Notification Requirements. AB 1710 expands notification requirements by requiring that consumers be notified when unauthorized persons acquire even encrypted personal information, or when noncomputerized data is involved (currently, only data breaches involving unencrypted computerized data require notification). Additionally, the entity that maintains the data would be required to notify affected consumers within 15 days of the breach, by sending them an email, posting a notice on the internet and notifying “major statewide media.” This notification could only be delayed at the request of law enforcement.
Requires Identity Theft and Mitigation Services. If the business providing the notification was responsible for the breach, AB 1710 requires that consumers whose personal information may have been exposed be provided free identify theft prevention and mitigation services (such as credit monitoring) for at least 24 months.
Mandates Encryption. Under the bill, primary account numbers could only be retained if maintained in a form that would be “unreadable and unusable” to unauthorized persons. Payment-related data could only be transmitted over public networks if it is encrypted or “otherwise rendered indecipherable.”
Expands Restrictions on Data Access. Businesses would be required to limit access to payment-related data to only those individuals whose positions “require” such access.