California's Latest Amendments to Its Data Security Breach Notification Law – Much Ado about Nothing?

Alerts / October 2, 2014

On September 30, 2014, California Governor, Jerry Brown, signed Assembly Bill 1710 into law, amending California’s existing personal information privacy laws. A.B. 1710 makes several changes to existing laws including: (1) the requirement that businesses that “maintain” personal information about California residents implement and maintain reasonable security measures to protect residents’ personal information; (2) the prohibition of the sale, advertisement, or offer to sell an individual’s social security number (“SSN”); and (3) certain requirements related to identity theft prevention and mitigation services in the event that an organization offered such remediation services to affected residents in connection with a data security breach.

As we explain below, the flurry of split opinions that emerged in the immediate wake of the signing of A.B. 1710 into law speaks volumes about the continuing problem of having 47 state data breach notification laws with ambiguous and inconsistent requirements. Further, at the end of the day, the substantive requirements of A.B. 1710 in its final form may not require anything beyond what most organizations already do as a matter of best practice and in accordance with state regulator expectations.

Additional Security Procedures for Companies that “Maintain” a Resident’s Personal Information

Previously, California Civil Code Section 1798.81.5 only applied to businesses that owned or licensed “personal information about a California resident.” Such businesses were required to “implement and maintain reasonable security procedures and practices” to protect a resident’s personal information from being accessed without authorization, destroyed, used, modified or disclosed. A.B. 1710 amends the existing law, now requiring of businesses that merely maintain a resident’s personal information to implement reasonable security procedures and practices to protect personal information. Although the term “maintain” is not defined in the bill, the legislation explicitly states that the term includes “personal information that a business maintains but does not own or license.” Under existing law, “personal information,” in this context, is defined as an individual’s first name or initial and last name or initial combined with other data elements that are not encrypted or redacted, including, but not limited to SSN and Driver’s license number or California identification card number.[1]

Prohibition on the Sale, Advertisement, and Offer to Sell Social Security Numbers

California Civil Code Section 1798.85 previously prohibited a person or entity from publicly posting or displaying an individual’s SSN. A.B. 1710 amends this section to add greater protection for an individual’s SSN. The bill prohibits a person or entity from “sell[ing], advertis[ing] for sale, or offer[ing] to sell an individual’s [SSN],” with limited exceptions. The limited exceptions that are not covered in A.B. 1710’s prohibition include “the release of an individual’s social security number if the release … is incidental to a larger transaction and is necessary to identify the individual in order to accomplish a legitimate business purpose; and the release of an individual’s social security number for a purpose specifically authorized or specifically allowed by federal or state law.”

Security Breach Notification and Provision of Identity Theft Prevention and Mitigation Services

Under existing law, California Civil Code Section 1798.82 requires persons or businesses to notify affected individuals and, in some cases, the California Attorney General, in the event of a security breach involving the personal information of a California resident. A.B. 1710 also amends this section, stating that:

“If the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed personal information defined in subparagraphs (A) and (B) of paragraph (1) of subdivision (h).” (emphasis added).

In the short 48 hours since the Governor signed the legislation, a split of opinion has emerged in online commentary (from some of the largest law firms in the country) as to what this amendment requires. Some commentators have interpreted this amendment to mean that persons or businesses in California are now required to provide identity theft prevention and mitigation services in the event of a data security breach involving Social Security or driver’s license numbers if the person or organization at issue is the source of the breach.

Other commentators have taken a different position with respect to this provision of A.B. 1710 – in particular, with respect to the “if any” language noted above. Those commentators interpret this language as requiring that identity theft prevention and mitigation services, if offered, must be provided by the organization without cost to affected individuals and for a period of at least 12 months. In this interpretation, the offering of identity theft prevention and mitigation services by persons or businesses would be permissive, but not mandatory.

Notably, in this regard, an earlier version of the bill, amended on March 28, 2014, read, “[i]f the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, such as credit monitoring, shall be provided at no cost to the affected person for not less than 24 months…” See A.B. 1710 Amended Bill Text. The final version of the bill, as signed into law by the Governor, removed the reference to credit monitoring, shortened the time period to 12 months, and added the critical “if any” language. See Assembly Bill No. 1710 Chapter 855.


If A.B. 1710 is interpreted to require the provision of identity theft prevention and mitigation services in the event of a data security breach, it would make California the first state in the nation to do so. However, if A.B. 1710 is interpreted to require credit monitoring services, only if offered, to be provided free of charge and for 12 months, then A.B. 1710 merely memorializes what the majority of organizations experiencing a breach now do as a matter of best practice.

Either way, the unfortunate result of California’s latest amendment is likely to be a series of copycat bills in other state legislatures across the country with slight language modifications that impose inconsistent obligations and only further confuse the issue. Thus, A.B. 1710 once again calls into question why Congress has not passed a federal breach notification law (for which there is bi-partisan support) with uniform requirements that would preempt the hodge-podge of state breach notification laws.

If you have any questions about this alert, please contact Gerald J. Ferguson at or 212.589.4238; Theodore J. Kobus III at or 212.271.1504; or any member of BakerHostetler's Privacy and Data Protection team.

Authorship Credit: Tanya Forsheit and M. Scott Koller


[1] The other data elements include medical information, as well as account number, credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.


Baker & Hostetler LLP publications are intended to inform our clients and other friends of the firm about current legal developments of general interest. They should not be construed as legal advice, and readers should not act upon the information contained in these publications without professional counsel. The hiring of a lawyer is an important decision that should not be based solely upon advertisements. Before you decide, ask us to send you written information about our qualifications and experience.


In The Blogs

Previous Next
Data Counsel
Are More European Standard Contractual Clauses Coming?
November 22, 2021
On November 18, 2021, the European Data Protection Board (EDPB) adopted its new draft guidance on the interplay between Article 3 of the European Union’s General Data Protection Regulation (GDPR) and Chapter V of the same law. This new...
Data Counsel
China Issues Draft Measures on Security Assessment of Cross-Border Data Transfer
By Daniel A. Pepper
November 5, 2021
On Oct. 29, 2021, the Cyberspace Administration of China (CAC) published the “Draft Measures on Security Assessment of Cross-Border Data Transfer” (Draft Measures) for comment through Nov. 28. The Draft Measures follow and are based on...
Data Counsel
California Privacy Protection Agency Board Chair Discusses CPRA Rulemaking Process and Agency Authority
By Jeewon K. Serrato, Justin T. Yedor
October 15, 2021
Justin T. Yedor and Jeewon Serrato On October 5, 2021, Jennifer Urban, who serves as Chair of the Board the California Privacy Protection Agency (the CPPA) spoke with members of the California Lawyer’s Association about the Board’s work to...
Data Counsel
FTC Puts 700+ Companies on Notice to Expect to Pay Penalties for Any Endorsement Violations
By John P. Ferry, Linda A. Goldstein, Amy Ralph Mudge, Matthew S. Renick, Randal M. Shaheen
October 13, 2021
By: Linda Goldstein, Amy Mudge, Randy Shaheen, Jack Ferry and Matt Renick The Federal Trade Commission (FTC or Commission) announced on Oct. 13 a widespread enforcement action against deceptive endorsement practices. The Commission sent a...
Data Counsel
The Impact of Data Security Incident Trends on Commercial Transactions: Part II – Development Agreements
By Craig C. Carpenter
October 12, 2021
The 2021 edition of BakerHostetler’s annual Data Security Incident Response Report – a report based on the firm’s experience with data security incident response and litigation over the past year – features a number of important insights...