The wait is over. Governor Jerry Brown signed AB1710 into law yesterday. The law not only requires “reasonable security procedures and practices appropriate to the nature of the [personal] information” a business owns, licenses, or maintains, but it also requires identity theft protection and mitigation services under some conditions.
If notification of a breach is required, the law specifies what must be included in it:
(1) The security breach notification shall be written in plain language.(2) The security breach notification shall include, at a minimum, the following information:(A) The name and contact information of the reporting person or business subject to this section.(B) A list of the types of personal information that were or are reasonably believed to have been the subject of a breach.(C) If the information is possible to determine at the time the notice is provided, then any of the following: (i) the date of the breach, (ii) the estimated date of the breach, or (iii) the date range within which the breach occurred. The notification shall also include the date of the notice.(D) Whether notification was delayed as a result of a law enforcement investigation, if that information is possible to determine at the time the notice is provided.(E) A general description of the breach incident, if that information is possible to determine at the time the notice is provided.(F) The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a social security number or a driver’s license or California identification card number.(G) If the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed personal information defined in subparagraphs (A) and (B) of paragraph (1) of subdivision (h).(3) At the discretion of the person or business, the security breach notification may also include any of the following:(A) Information about what the person or business has done to protect individuals whose information has been breached.(B) Advice on steps that the person whose information has been breached may take to protect himself or herself.
(And yes, a lot of what the law requires in terms of notifications is exactly what I’ve been advocating for almost a decade, and I’m delighted to see this).
Not all entities are covered by the law. Exemptions include providers of health care, health care service plans, or contractors regulated by the Confidentiality of Medical Information Act; financial institutions, HIPAA-covered entities, and any business “that is regulated by state or federal law providing greater protection to personal information than that provided by this section in regard to the subjects addressed by this section.”
There’s much more to the new law, and expect to see me posting links to privacy law firms’ analyses and comments. But since the new obligations apply to breaches involving unencrypted information, this might be a useful motivator to finally get around to deploying encryption if you have not done so already.
Update 1: Joe Lazzarotti comments on the new law, here.