After a series of high-profile data breaches that compromised consumer information at a number of major corporations, including Target Corp., Home Depot Inc., and SuperValue Inc., California Gov. Jerry Brown signed legislation that will require all companies that handle consumer data to provide identity theft prevention services following any kind of security breach.The bill, which was authored by Assembly Members Roger Dickinson (D-Sacramento) and Bob Wieckowski (D-Fremont), functions as an expansion of California’s current data protection laws.
“Recent breaches emphasized the need for stronger consumer protections and awareness. The retailers affected by the recent mega data breaches are not the first nor will they be the last,” Dickinson said in a statement. “AB 1710 will increase consumer privacy, ensure appropriate fraud and identity theft protection, and safeguard against the exploitation of personal information.”
Wieckowski echoed Dickinson’s sentiment. “Almost every day it seems there is breaking news about another data breach occurring,” he said. “Consumers need more assistance to keep their personal information private. AB 1710 is a step forward and an improvement over existing law in California and I am glad to see Governor Brown signed it today.”
What you need to know about California’s Data Breach Law.
How will this new law affect consumers?
The law, known as law AB 1710, will require all business to provide a minimum of one year of credit card monitoring and identity theft prevention services to customers whose Social Security numbers or drivers’ licenses are compromised in a security breach. Furthermore, the bill also forbids the sale of Social Security numbers “except when part of a legitimate business transaction,” Dickinson said. The goal of the law is to better protect the data of California citizens, a staggering 2.5 million of which were the victims of serious data breaches in 2012.
How will this new law affect the operations of California businesses?
All new California businesses must adhere to the law’s “reasonable security” requirements. The most notable regulation is the prohibition of the sale of Social Security numbers, as well as the fact that it extends existing data security obligations for California businesses to companies who own or license customer information.
Has there been any opposition to the bill?
There have been a number of opponents of the bill, particularly in the retail sector. The original version of the bill actually sought to hold companies financially responsible for consumer losses following a breach, as well as to place limits on the amount of payment information a retailer could store in its system while also mandating more stringent encryption standards in the state. A coalition of business groups, including the California Retailers Association and California Chamber of Commerce, argued that this proposal would institute data management rules that were “onerous and unneeded” and ineffective for protecting customer data. These groups also claimed the rules AB 1710 mandated “would result in over-notification that would ultimately confuse California consumers” and eliminate flexibility in the voluntary Payment Card Industry Data Security Standard, or PCI DSS, which is used by the financial and retail industries. It should be noted that, in light of these concerns, Dickinson and Wieckowski were forced to water down the bill in order to get it through the Legislature.
How will this new law affect data destruction processes?
The bottom line is that this new law will affect companies who engage in data destruction. While it may not directly influence data destruction processes, the law will require these companies, as well as any other companies that handle consumer data, to take reasonable measures to protect such data. If a breach does occur, these companies will be held accountable.