California Takes the Lead Again in Data Breach Laws

California has taken the lead once again in the area of data breach notification laws. In 2002, California was the first state to pass a law requiring companies to notify affected individuals of the breach of their personal information. On September 30, 2014, California’s governor signed into law the first statute requiring businesses to provide free identity theft prevention services to subjects of a breach. 

The California legislation responds to the recent, alarming increase in reports of breaches involving personal information. A May 2014 study by the Ponemon Institute found that an astounding 43% of companies have suffered a data breach in the last year. These breaches are affecting Americans in real terms. One in five online adults has experienced some form of identity theft, according to a Pew Research Center survey. 

California’s A.B. 1710 requires the business that is the source of the breach to provide for one year “appropriate identity theft protection and mitigation services” at no cost to affected California residents. This new requirement will directly impact employers because a breach of name and Social Security number – employee data that almost all employers maintain – triggers the obligation to provide the service. 

The law will not dramatically change breach response practices, however. Many businesses that suffer a data breach already offer some form of free identity theft protection. Motivations vary, but chief among them are a sense of obligation to affected individuals, concern about public and/or employee relations, and the desire to reduce the likelihood that affected individuals will file a lawsuit. Although legal claims based on data breaches often founder because the plaintiffs cannot prove that the breach actually caused them any harm, the lawsuits can be a distraction, draw additional unwelcome publicity, and require the business to incur defense costs. Consequently, organizations often find that offering identity theft prevention products serves their interests, regardless of whether offering the service is legally required. 

Nevertheless, the new law may erode some of the public relations value in providing these services. It may also establish a subjective standard by requiring that breached parties provide “appropriate” services. This standard may perplex businesses as they face a bewildering variety of identity theft prevention services in the marketplace. It also may expose a business to litigation over whether the services provided were “appropriate,” separate and apart from whether the breach caused any harm to individuals whose information was compromised. 

California law does not define “appropriate identity theft protection and mitigation services.” However, that standard likely is intended to require both credit monitoring and fraud resolution services. Monitoring the affected individual’s credit report allows the service provider to identify activity indicative of identity theft, such as unusual charges in distant locations. Most identity theft prevention services offer some form of credit monitoring.  They also typically provide assistance to affected individuals in the form of fraud resolution services to reverse the harmful effects of identity theft. 

Identity theft prevention services vary not only in the level of credit monitoring they deliver, but also in cost and in the other theft prevention and mitigation services they provide. Consequently, businesses that have experienced a data breach should shop and compare before purchasing a service. Credit monitoring products differ, for example, by whether they monitor credit reports from all three nationwide credit bureaus or just one, and what indicia of suspicious activity they consider. Other features may include Internet scanning for the affected individual’s personal information, identity theft insurance, and personal assistance with identity theft resolution. 

In comparing these services, organizations should look beyond the list price to ascertain the total potential cost of a service. Prices for many of these services decrease as the population of affected individuals increases.  Some services require the business to pay only for those individuals who actually enroll in the identity theft prevention service as opposed to paying for each enrollment code included in notification letters.  The distinction is critical for pricing purposes because enrollment rates rarely exceed 30% and often hover in the 5% to 10% range. 

A.B. 1710 covers just a subset of data breaches.  Organizations are required to offer identity theft protection services only if the compromised information includes an individual’s name in combination with one of the following: Social Security number, California driver’s license number, or California identification card number. The statute does not impose the identity theft protection obligation for the compromise of other categories of personal information, such as financial account numbers, medical information, health insurance information, and login credentials. 

Key Takeaways For Employers

An employer that experiences a breach of a California resident’s name in combination with: 

  • Social Security number;
  • California driver’s license number;
  • California identification card number;
  • Financial account number, including credit or debit card number;
  • Medical information; or
  • Health insurance information,

or a breach of a California resident’s online login credentials should:

  • Contain and mitigate the breach;
  • Contact legal counsel for advice and to establish the protections of the attorney-client privilege for communications concerning the incident and the incident response;
  • Purchase the most appropriate identity theft protection and mitigation service if the breach involves Social Security numbers, California driver’s license numbers, or California identification card numbers;
  • Promptly notify affected individuals of the breach and offer identity theft prevention services as needed; and
  • Take steps to prevent a recurrence of the breach.

Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.