California’s data breach notification law has been beefed up with the enactment of legislation.
The new law requires businesses to provide free identity-theft prevention services to subjects of a breach if their personally identifiable information has been compromised. The law, which is the result of AB 1710, covers both customers as well as employees of an organization.
In other words, even if you do not maintain customer credit card or other client information, your company would be subject to the law if you have employees.
The new law requires a business whose data has been breached to provide, for free, one year’s worth of “appropriate identity-theft protection and mitigation services” to affected California residents.
The new law will not change other parts of breach response practices as required by law.
It will require companies to do what many often do anyway after a breach. They offer identity-theft protection to help to ease the burden on their clients and alert them if in fact someone has hijacked their credit card data and is using it to make charges. It’s also a way to stave off lawsuits.
One of the issues with the law is that it requires business to provide “appropriate” identity-theft protection and mitigation services. Such a vague description won’t make it easy, as there are a number of services available to monitor the fallout from identity theft.
That said, it’s likely that offering a credit monitoring and fraud resolution service should suffice.
Credit monitoring services essentially keep a lookout for any unusual charging activity, such as excessive charges, or charges in faraway locations, including overseas. These companies will typically offer fraud resolution services as well, that help remediate the fallout from identity theft.
There is a myriad of companies offering these services online. If you store credit card data, it would be wise to at least do some research ahead of time into which service you might want to use. The services vary in price and the breadth of their service.
Most of the services will monitor at least one – if not all – of the nationwide credit bureaus for suspicious activity. Some services scan the Internet to see if an affected individual’s information is floating around on the web. And some offer personal assistance with identity-theft resolution.
While the law requires that you offer affected individuals these services, it does not require that you provide it to everyone affected (in other words, you don’t have to provide it to those who don’t take you up on your offer).
According to recent research, enrollment rates after breaches are typically no more than 10%. You should look for a service that only charges you for the individuals who actually enroll in the service.
AB 1710 basics
You are required to offer identity-theft protection services only if the compromised information includes a California resident’s name in combination with one of the following:
- Social Security number,
- California driver’s license number, or
- California identification card number.
If other information may have been compromised, like credit card account numbers, medical information, health insurance information and login name and passwords, you would not be required to provide these services. That said, you would still be required to notify the individuals under the other portions of California’s breach notification laws.
The rest of California’s data breach law remains in effect. You would have to take certain actions if you experienced a breach that exposed a California resident’s name AND their:
- Social Security number,
- California driver’s license number;
- California identification card number;
- Credit card, debit card or bank account number,
- Medical information;
- Health insurance information, or
- Online login credentials.
California law requires a business to notify any California resident whose unencrypted personal information above was acquired, or reasonably believed to have been acquired, by an unauthorized person.
Any person or business that is required to issue a security breach notification to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the state attorney general.
If such a breach occurs, you should:
- Contain and mitigate the breach;
- Contact your attorney;
- Purchase the most appropriate identity-theft protection and mitigation service if the breach involves Social Security numbers, California driver’s license numbers, or California identification card numbers;
- Promptly notify affected individuals of the breach and offer identity-theft prevention services as needed; and
- Take steps to prevent a recurrence of the breach.