California Bolsters Breach NotificationBut Many Proposed New Requirements Were Dropped
See Also: HIPAA Audits: A Revised Game Plan
For example, one proposed provision that was eliminated would have required that breached businesses reimburse payment card issuers for all costs to replace cards unless the businesses demonstrated they complied with the data breach law.
Two key provisions that remain in AB 1710, which takes effect Jan. 1, 2015, are:
- Breached entities are now required to offer free identity theft prevention services to impacted individuals for one year - down from an originally proposed 24 months - if Social Security numbers or driver's license numbers were breached;
- Existing personal information data security obligations now apply to businesses that maintain personal information, such as cloud services providers, in addition to those who own or license the information.
"Recent breaches emphasized the need for strong consumer protections and awareness," says California assembly member Roger Dickinson, a Democrat who co-authored the bill with Bob Wieckowski, also a Democrat. "The retailers affected by the recent mega data breaches are not the first nor will they be the last. AB 1710 will increase consumer privacy, ensure appropriate fraud and identity theft protection and safeguard against the exploitation of personal information."
In addition to eliminating the provision requiring breached businesses to reimburse card issuers for all costs to replace cards, the measure signed into law also dropped several other key provisions in the original proposed legislation.
For example, the new law eliminated a proposal to prohibit the sellers of goods and services to Californians from storing payment information, sensitive authentication data and payment verification codes, such as personal identification, Social Security and driver's license numbers (see: States Advance Breach Notification Laws).
The law also eliminated a provision that would have required businesses that maintain, but do not own, the data, such as cloud services providers, to alert those affected by a data breach within 15 days by sending an e-mail message, posting a notice on their website and notifying statewide media.
Under the existing breach notification law - S.B. 1386 - data owners have to disclose a security breach in the most expedient time possible and without unreasonable delay.
The original bill was opposed by several business groups, including the California Bankers Association, California Chamber of Commerce and The Internet Association.
A spokesperson for assembly member Dickinson says healthcare entities, which must comply with the federal HIPAA breach notification law, must also comply with this new law. Plus, medical facilities in California must notify breach victims within five business days of detecting a breach under California Health & Safety Code 1280.15.
'Watering Down' Legislation
When it comes to privacy and breach notification laws, the "watering down" of legislation before it's finalized is common, says Scot Ganow, an attorney at Faruki Ireland and Cox PLL who specializes in privacy and security law.
"One, and this is the biggest issue, is the difficulty with which to implement such a broad requirement across so many industries and so many [companies] doing interstate business," Ganow says. "You have to remember that any business, whether located in California or not, would have to comply if it's using the personal information of a California resident."
When enacting legislation, Ganow says, "we have the very common challenge of balancing convenience, privacy and the practicality of doing business in the Internet age."
The bill's original provisions, dropped in the final measure, would have created significant restrictions and costs to merchants and other businesses, says Francoise Gilbert, founder of the IT Law Group. "It would not be surprising if lobbyists had been very active in explaining to the legislators the potential consequences of enacting such provisions."
Analyzing the New Law
The requirement that businesses that maintain personal information, such as cloud services providers, must use adequate security greatly clarifies their obligations, Gilbert says.
"Previously, this obligation existed in that an entity that would engage a contractor or service provider would have to require, by contract, that the service provider use adequate security measures," she says. "Now, the obligation arises directly under the law, which means that service providers would be violating the law - in addition to breaching a contract - if they did not have adequate security measures."
California's original data breach law - the first in the nation - served as a model for other states, and so its revisions could be imitated elsewhere as well.
"There is a common phrase used in our country when it comes to regulation: 'So goes California, so goes the country,'" Ganow says. "I am not saying that is always the case, or that I necessarily agree. However, if history is any indicator, other states will indeed take notice, and in the interest of improving their practices, may adopt portions of this law as well."