California's Latest Amendments to Its Data Security Breach Notification Law – Much Ado about Nothing?

Alerts / October 2, 2014

On September 30, 2014, California Governor, Jerry Brown, signed Assembly Bill 1710 into law, amending California’s existing personal information privacy laws. A.B. 1710 makes several changes to existing laws including: (1) the requirement that businesses that “maintain” personal information about California residents implement and maintain reasonable security measures to protect residents’ personal information; (2) the prohibition of the sale, advertisement, or offer to sell an individual’s social security number (“SSN”); and (3) certain requirements related to identity theft prevention and mitigation services in the event that an organization offered such remediation services to affected residents in connection with a data security breach.

As we explain below, the flurry of split opinions that emerged in the immediate wake of the signing of A.B. 1710 into law speaks volumes about the continuing problem of having 47 state data breach notification laws with ambiguous and inconsistent requirements. Further, at the end of the day, the substantive requirements of A.B. 1710 in its final form may not require anything beyond what most organizations already do as a matter of best practice and in accordance with state regulator expectations.

Additional Security Procedures for Companies that “Maintain” a Resident’s Personal Information

Previously, California Civil Code Section 1798.81.5 only applied to businesses that owned or licensed “personal information about a California resident.” Such businesses were required to “implement and maintain reasonable security procedures and practices” to protect a resident’s personal information from being accessed without authorization, destroyed, used, modified or disclosed. A.B. 1710 amends the existing law, now requiring of businesses that merely maintain a resident’s personal information to implement reasonable security procedures and practices to protect personal information. Although the term “maintain” is not defined in the bill, the legislation explicitly states that the term includes “personal information that a business maintains but does not own or license.” Under existing law, “personal information,” in this context, is defined as an individual’s first name or initial and last name or initial combined with other data elements that are not encrypted or redacted, including, but not limited to SSN and Driver’s license number or California identification card number.[1]

Prohibition on the Sale, Advertisement, and Offer to Sell Social Security Numbers

California Civil Code Section 1798.85 previously prohibited a person or entity from publicly posting or displaying an individual’s SSN. A.B. 1710 amends this section to add greater protection for an individual’s SSN. The bill prohibits a person or entity from “sell[ing], advertis[ing] for sale, or offer[ing] to sell an individual’s [SSN],” with limited exceptions. The limited exceptions that are not covered in A.B. 1710’s prohibition include “the release of an individual’s social security number if the release … is incidental to a larger transaction and is necessary to identify the individual in order to accomplish a legitimate business purpose; and the release of an individual’s social security number for a purpose specifically authorized or specifically allowed by federal or state law.”

Security Breach Notification and Provision of Identity Theft Prevention and Mitigation Services

Under existing law, California Civil Code Section 1798.82 requires persons or businesses to notify affected individuals and, in some cases, the California Attorney General, in the event of a security breach involving the personal information of a California resident. A.B. 1710 also amends this section, stating that:

“If the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed personal information defined in subparagraphs (A) and (B) of paragraph (1) of subdivision (h).” (emphasis added).

In the short 48 hours since the Governor signed the legislation, a split of opinion has emerged in online commentary (from some of the largest law firms in the country) as to what this amendment requires. Some commentators have interpreted this amendment to mean that persons or businesses in California are now required to provide identity theft prevention and mitigation services in the event of a data security breach involving Social Security or driver’s license numbers if the person or organization at issue is the source of the breach.

Other commentators have taken a different position with respect to this provision of A.B. 1710 – in particular, with respect to the “if any” language noted above. Those commentators interpret this language as requiring that identity theft prevention and mitigation services, if offered, must be provided by the organization without cost to affected individuals and for a period of at least 12 months. In this interpretation, the offering of identity theft prevention and mitigation services by persons or businesses would be permissive, but not mandatory.

Notably, in this regard, an earlier version of the bill, amended on March 28, 2014, read, “[i]f the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, such as credit monitoring, shall be provided at no cost to the affected person for not less than 24 months…” See A.B. 1710 Amended Bill Text. The final version of the bill, as signed into law by the Governor, removed the reference to credit monitoring, shortened the time period to 12 months, and added the critical “if any” language. See Assembly Bill No. 1710 Chapter 855.


If A.B. 1710 is interpreted to require the provision of identity theft prevention and mitigation services in the event of a data security breach, it would make California the first state in the nation to do so. However, if A.B. 1710 is interpreted to require credit monitoring services, only if offered, to be provided free of charge and for 12 months, then A.B. 1710 merely memorializes what the majority of organizations experiencing a breach now do as a matter of best practice.

Either way, the unfortunate result of California’s latest amendment is likely to be a series of copycat bills in other state legislatures across the country with slight language modifications that impose inconsistent obligations and only further confuse the issue. Thus, A.B. 1710 once again calls into question why Congress has not passed a federal breach notification law (for which there is bi-partisan support) with uniform requirements that would preempt the hodge-podge of state breach notification laws.

If you have any questions about this alert, please contact Gerald J. Ferguson at or 212.589.4238; Theodore J. Kobus III at or 212.271.1504; or any member of BakerHostetler's Privacy and Data Protection team.

Authorship Credit: Tanya Forsheit and M. Scott Koller


[1] The other data elements include medical information, as well as account number, credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.


Baker & Hostetler LLP publications are intended to inform our clients and other friends of the firm about current legal developments of general interest. They should not be construed as legal advice, and readers should not act upon the information contained in these publications without professional counsel. The hiring of a lawyer is an important decision that should not be based solely upon advertisements. Before you decide, ask us to send you written information about our qualifications and experience.


In The Blogs

Previous Next
Data Counsel
I Won’t Get Fooled Again: Measures Universities Should Take to Combat North Korea’s Use of Spearphishing Campaigns to Access Their Environments and Steal Data
June 7, 2023
On June 1, the FBI, the U.S. Department of State and the National Security Agency, together with the Republic of Korea’s (ROK) National Intelligence Service, National Police Agency and Ministry of Foreign Affairs, issued a joint advisory...
Data Counsel
Update on GLBA Safeguards Rule in Higher Education
June 1, 2023
On February 9, 2023, the Department of Education Office of Federal Student Aid (“FSA”) issued an electronic notice regarding the Federal Trade Commission’s Final Rule amending the Standards for Safeguarding Customer Information...
Data Counsel
The Post-Cookie Digital Advertising Landscape: Planning for Privacy Compliance in Unsettled Terrain
May 31, 2023
Digital advertising exists in a complex ecosystem that the average person engages with daily. It encompasses a broad set of technologies for managing advertisements across channels including search, display, video, mobile, and social, with...
Data Counsel
2023 DSIR Report Deeper Dive: U.S. Employee Privacy Developments
By Frederick C. Bingham, Jennifer L. Mitchell, Justin T. Yedor
May 30, 2023
Among the many developments in data privacy regulation that took place over the past year, new requirements relating to employee personal information in California and New York have deservedly received a lot of attention. Meanwhile...
Data Counsel
New York State Adds Health Care Geofencing Prohibition, Taking a More Measured Approach Than Washington's Similar Ban
By Andreas T. Kaltsounis, Nichole L. Sterling
May 25, 2023
As part of the health budget bill signed by Governor Hochul in early May, New York has amended its General Business Law, introducing a prohibition on geofencing of health care facilities that goes into effect on July 2, 2023 – just three...