New California Privacy Law AB 1710: Data Security Requirements Just Got Broader
California has been a pioneer in enacting legislation designed to protect privacy. AB 1710, which was signed into law on September 30, 2014 by Governor Brown, is the latest example. It extends liability to businesses that “maintain” personal information without providing protections against data breach. Effective January 1, 2015, business entities in California that maintain personal information must also have data security measures in place.
While California law currently requires businesses that “own or license” personal information to maintain security procedures and practices, AB 1710 imposes the same requirements on businesses who simply “maintain” personal information. In other words, AB 1710 applies to entities that store or compile personal information such as third-party service providers (“TSPs”), whereas until now, the law only applied to owners or licensees who retain personal information from transactions and as part of internal customer accounts.
AB 1710 will have the greatest financial impact on TSPs and small businesses because they are unlikely to have adequate security precautions to handle data breaches. Businesses may use TSPs for certain outsourced business functions such as IT, data processing, payroll, and web hosting. Earlier this year, both AT&T and Lowe’s experienced data breaches when their TSPs disclosed the companies’ employee information. These breaches were previously covered solely under contractual agreement,s because entities who only “maintained” personal information were not subject to California’s privacy laws. Now, AB 1710 imposes liability on TSPs for data breaches.
While AB 1710 expands consumer privacy protections, the enacted version of the law is actually less onerous to businesses than earlier drafts. Prior versions contained statutorily defined civil penalties and strict notice provisions. Prior versions also contained a provision that required businesses to provide theft prevention and mitigations services for a period of 24 months following a breach. As enacted, the requirement was reduced to 12 months, and the language is unclear whether the services are actually required at all or, only that if provided, would need to be for 12 months.
The key takeaway from AB 1710 is that businesses maintaining personal information should do at least two things. First, they should implement enhanced encryption when transmitting personal information. Indeed, according to the “Cybersecurity in the Golden State” report released by the Office of the Attorney General, of the 131 reported data breaches in California that occurred in 2012, half could have been prevented with stricter encryption measures. Second, businesses should have procedures in place that provide for credit monitoring and theft insurance in the event of a breach. Providing these services for at least one year is now standard industry practice.