Months before the well-publicized Sony catastrophe, California passed Assembly Bill 1710, which was signed into law on September 30, 2014, and became effective on January 1, 2015. The most discussed part of this new law applies to all California employers. In the new law, there is a subsection that states:
If the person or business providing the notification [of the data breach] was the source of the breach [of Social Security numbers or driver’s license numbers], an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months.
Of course, no one knows the meaning of “source of the breach” because it is undefined which means employers and third party vendors, e.g., cloud service providers, will be pointing at the other entity as neither will want to be responsible for any data breach because the cost of prevention and mitigation services will undoubtedly be great. The prevention and mitigation requirement is only triggered by breaches of Social Security and driver’s licenses, not for payment card data or online credentials, which is the vast majority of breaches. Data “owners” must notify affected individuals of a breach “in the most expedient time possible without unreasonable delay” “immediately following discovery” of a breach, but of course, “owners” and “maintainers” are also undefined.
What Should California Employers Do?
California employers should review and update their privacy and security policies and practices to ensure compliance, and train all the employees who handle social security numbers and drivers’ license information. More importantly now more than ever, purchase cyber liability insurance as soon as possible.