Wed, Dec 10, 2014

California Data Breach Law AB1710 Stirs Up Debate on Notification Requirements

California Assembly Bill No.1710 (AB 1710) was signed into law on September 30, 2014, and amends California’s existing data protection laws, in part by setting forth requirements on what to do if protected data is exposed.

AB1710 takes effect this January 1st, 2015, and there has already been much speculation and debate regarding several key pieces of the legislation. One such point of debate is the wording that amends what must be done if data is breached, which now states that a breached entity must “offer to provide appropriate identity theft prevention and mitigation services, if any, to the affected person at no cost for not less than 12 months if the breach exposed or may have exposed specified personal information.”

It is the use of “if any” as a modifier that is causing contention; i.e., does this phrasing mandate services, or simply that entities choosing to offer services must do so for 12 months? It’s likely this will be answered through guidance issued by the California attorney general’s office; however, the question remains as to what constitutes “appropriate” identity theft prevention and mitigation services?

The de facto offering is, of course, credit monitoring. Yet, there are many types of identity theft that cannot be detected by simply viewing the information reported to the credit bureaus. Kroll advocates a risk-based approach, one that relies upon a careful analysis of the facts and circumstances of the event, the types of sensitive information that were breached, the size of the event, and the sensitivity of the impacted population. This type of analysis helps clarify the type of mitigation services that would be appropriate and useful to breach constituents, and also sheds light on the impact of the breach to the organization itself.

Such a measured approach offers an advantage to organizations that have been breached, especially in light of these new requirements in California. There are even indicators that, as in the past, California may be leading the way: Rhode Island and Minnesota for example, have already considered their own bills requiring credit monitoring or other services. It behooves all entities that do business in California to consider the implications of the law, and to begin considering the types of meaningful mitigation services they can offer consumers.

By Kroll Editorial Team

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.