Two California legislators have introduced legislation that would require the strictest measures in the nation from online retailers. Assembly Bill 1710, introduced by Assemblyman Roger Dickinson (D-Sacramento) and Assemblyman Bob Wieckowski (D-Fremont) on April 16, 2014, proposes that retailers be held responsible for certain costs associated with data breach incidents. Coined the Consumer Data Breach Protection Act, AB 1710 demands that businesses who sell goods or services to California residents and accept debit or credit card payments be prohibited from retaining, storing, or failing to limit access to that information after a processing authorization is obtained. The bill requires businesses to create “payment data retention and disposal” policies that identify how long they will retain the data. Existing law requires a business that owns or licenses personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.This bill would expand these provisions to businesses that own, license, or maintain personal information about a California resident, as specified, and prohibit the retention of ultrasensitive data such as social security and driver’s license numbers, PIN numbers, and card verification codes. AB 1710 would also impose liability on retailers and responsible for reimbursing “reasonable and actual costs” of providing notice of a data breach to any California residents whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, and for the reasonable and actual cost of card replacement as a result of the breach to the owner of the information. Among other provisions in the bill:
- Retailers would be obligated to pay for at least 24 months of identity theft prevision and mitigation services, such as credit monitoring services, for consumers subject to the data breach of their personally identifiable information.
- The proposed bill would require data breach notifications to be provided to consumers within stricter time frames, including making an announcement to statewide media, issuing emails to affected consumers within fifteen (15) days of the breach,and providing a general notice on the retailer’s web page.
- Penalties for failure to comply would be stiffer under the proposed Bill, ranging up to $500 per violation and up to $3,000 for a willful or reckless violation.
California has long been the leader among the United States with respect to privacy matters. In 2003, California became the first state to pass data breach notification laws. In 2012, California’s data breach laws were amended to require companies and state agencies to report breaches involving more than 500 California residents to the Attorney General’s office. According to a recent report issued by Attorney General Kamala D. Harris, in the first three months of 2012, there were more than a billion cyberattacks, increasing 130% from the number of data breaches since 2010. As of today, 47 states have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information. The states without any data breach notification laws include Alabama, New Mexico, and South Dakota.