California's Latest Amendments to Its Data Security Breach Notification Law – Much Ado about Nothing?

Alerts / October 2, 2014

On September 30, 2014, California Governor, Jerry Brown, signed Assembly Bill 1710 into law, amending California’s existing personal information privacy laws. A.B. 1710 makes several changes to existing laws including: (1) the requirement that businesses that “maintain” personal information about California residents implement and maintain reasonable security measures to protect residents’ personal information; (2) the prohibition of the sale, advertisement, or offer to sell an individual’s social security number (“SSN”); and (3) certain requirements related to identity theft prevention and mitigation services in the event that an organization offered such remediation services to affected residents in connection with a data security breach.

As we explain below, the flurry of split opinions that emerged in the immediate wake of the signing of A.B. 1710 into law speaks volumes about the continuing problem of having 47 state data breach notification laws with ambiguous and inconsistent requirements. Further, at the end of the day, the substantive requirements of A.B. 1710 in its final form may not require anything beyond what most organizations already do as a matter of best practice and in accordance with state regulator expectations.

Additional Security Procedures for Companies that “Maintain” a Resident’s Personal Information

Previously, California Civil Code Section 1798.81.5 only applied to businesses that owned or licensed “personal information about a California resident.” Such businesses were required to “implement and maintain reasonable security procedures and practices” to protect a resident’s personal information from being accessed without authorization, destroyed, used, modified or disclosed. A.B. 1710 amends the existing law, now requiring of businesses that merely maintain a resident’s personal information to implement reasonable security procedures and practices to protect personal information. Although the term “maintain” is not defined in the bill, the legislation explicitly states that the term includes “personal information that a business maintains but does not own or license.” Under existing law, “personal information,” in this context, is defined as an individual’s first name or initial and last name or initial combined with other data elements that are not encrypted or redacted, including, but not limited to SSN and Driver’s license number or California identification card number.[1]

Prohibition on the Sale, Advertisement, and Offer to Sell Social Security Numbers

California Civil Code Section 1798.85 previously prohibited a person or entity from publicly posting or displaying an individual’s SSN. A.B. 1710 amends this section to add greater protection for an individual’s SSN. The bill prohibits a person or entity from “sell[ing], advertis[ing] for sale, or offer[ing] to sell an individual’s [SSN],” with limited exceptions. The limited exceptions that are not covered in A.B. 1710’s prohibition include “the release of an individual’s social security number if the release … is incidental to a larger transaction and is necessary to identify the individual in order to accomplish a legitimate business purpose; and the release of an individual’s social security number for a purpose specifically authorized or specifically allowed by federal or state law.”

Security Breach Notification and Provision of Identity Theft Prevention and Mitigation Services

Under existing law, California Civil Code Section 1798.82 requires persons or businesses to notify affected individuals and, in some cases, the California Attorney General, in the event of a security breach involving the personal information of a California resident. A.B. 1710 also amends this section, stating that:

“If the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed personal information defined in subparagraphs (A) and (B) of paragraph (1) of subdivision (h).” (emphasis added).

In the short 48 hours since the Governor signed the legislation, a split of opinion has emerged in online commentary (from some of the largest law firms in the country) as to what this amendment requires. Some commentators have interpreted this amendment to mean that persons or businesses in California are now required to provide identity theft prevention and mitigation services in the event of a data security breach involving Social Security or driver’s license numbers if the person or organization at issue is the source of the breach.

Other commentators have taken a different position with respect to this provision of A.B. 1710 – in particular, with respect to the “if any” language noted above. Those commentators interpret this language as requiring that identity theft prevention and mitigation services, if offered, must be provided by the organization without cost to affected individuals and for a period of at least 12 months. In this interpretation, the offering of identity theft prevention and mitigation services by persons or businesses would be permissive, but not mandatory.

Notably, in this regard, an earlier version of the bill, amended on March 28, 2014, read, “[i]f the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, such as credit monitoring, shall be provided at no cost to the affected person for not less than 24 months…” See A.B. 1710 Amended Bill Text. The final version of the bill, as signed into law by the Governor, removed the reference to credit monitoring, shortened the time period to 12 months, and added the critical “if any” language. See Assembly Bill No. 1710 Chapter 855.


If A.B. 1710 is interpreted to require the provision of identity theft prevention and mitigation services in the event of a data security breach, it would make California the first state in the nation to do so. However, if A.B. 1710 is interpreted to require credit monitoring services, only if offered, to be provided free of charge and for 12 months, then A.B. 1710 merely memorializes what the majority of organizations experiencing a breach now do as a matter of best practice.

Either way, the unfortunate result of California’s latest amendment is likely to be a series of copycat bills in other state legislatures across the country with slight language modifications that impose inconsistent obligations and only further confuse the issue. Thus, A.B. 1710 once again calls into question why Congress has not passed a federal breach notification law (for which there is bi-partisan support) with uniform requirements that would preempt the hodge-podge of state breach notification laws.

If you have any questions about this alert, please contact Gerald J. Ferguson at or 212.589.4238; Theodore J. Kobus III at or 212.271.1504; or any member of BakerHostetler's Privacy and Data Protection team.

Authorship Credit: Tanya Forsheit and M. Scott Koller


[1] The other data elements include medical information, as well as account number, credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.


Baker & Hostetler LLP publications are intended to inform our clients and other friends of the firm about current legal developments of general interest. They should not be construed as legal advice, and readers should not act upon the information contained in these publications without professional counsel. The hiring of a lawyer is an important decision that should not be based solely upon advertisements. Before you decide, ask us to send you written information about our qualifications and experience.


In The Blogs

Previous Next
Data Privacy Monitor
Increased Scrutiny on Notice and Choice for Use of AD Profiling, Especially Using Mobile Location Data
By Taylor A. Bloom, Alan L. Friel, Niloufar Massachi
March 20, 2019
Are you an app publisher or do you advertise via mobile apps or obtain marketing data that originates from them? If so, you need to beware that regulators and consumer protection authorities are taking action against companies with regard...
Data Privacy Monitor
Washington Privacy Act Clears Senate
By Shea M. Leitch
March 19, 2019
On March 6, SB 5376, the Washington Privacy Act, passed the Washington Senate in an overwhelming 46-1 vote (with two members excused). Prior to its passage, the Senate adopted important revisions and clarifications that would provide...
Data Privacy Monitor
EU Regulators Increase Focus on Cookie Practices
By Kyle R. Fath, Laura E. Jehl, Monique Matar, Jean H. Shin
March 14, 2019
In the absence of cookies-related guidance and enforcement by regulators against ordinary website publishers and operators, many e-commerce sites, online publishers and other website operators have taken a “wait and see” approach with...
Data Privacy Monitor
FTC Launches a New Task Force Dedicated to Monitoring the Tech Industry for Anti-Competitive Practices
By Janine Anthony Bowen, Alexandra Royal
March 13, 2019
The Federal Trade Commission announced the creation of a new task force that is dedicated to monitoring competition in the U.S. technology industry. This Technology Task Force will coordinate and consult with 17 staff attorneys throughout...
Data Privacy Monitor
Cybersecurity Firms Issue Annual Threat Reports
By Joseph L. Bruemmer
March 12, 2019
CrowdStrike, FireEye and IBM Security recently released their annual threat reports. These reports contain a wealth of information on recent trends in cybersecurity attacks and recommendations on the preventive measures companies can take...