BILL ANALYSIS �Ó
AB 1710
Page 1
Date of Hearing: April 29, 2014
ASSEMBLY COMMITTEE ON JUDICIARY
Bob Wieckowski, Chair
AB 1710 (Dickinson and Wieckowski) - As Amended: April 24,
2014
SUBJECT : PRIVACY: PERSONAL INFORMATION
KEY ISSUE : SHOULD ADDITIONAL PRIVACY PROTECTIONS BE ENACTED TO
PREVENT AND REMEDY THE COSTS AND OTHER HARMS THAT OCCUR WHEN
BUSINESSES FAIL TO PROTECT SENSITIVE PERSONAL INFORMATION?
SYNOPSIS
This bill responds to the massive retail data breaches involving
sensitive consumer information that the Committee examined in
its recent oversight hearing in junction with the Committee on
Banking and Finance. Supporters argue that this bill would help
to prevent these problems from recurring by limiting the amount
and type of consumer payment card information that may be
retained in order to limit access to hackers. The bill also
emphasizes the importance of prevention by closing a loophole in
existing law requiring businesses that hold personal information
to implement reasonable security practices and procedures. In
addition, the bill would tighten encryption standards under the
existing data breach notification law, and provide for faster
and more direct notice to those affected when companies lose
control of personal information. The bill also requires that
businesses offer appropriate prevention and mitigation measures
when a breach involves the most sensitive types of personal
information that can more easily lead to identity theft. It
also prohibits the sale of social security numbers. Supporters
argue that these are modest and reasonable measures that should
improve prevention and help to remedy the significant risk of
harm that occurs when personal information is exposed.
Opponents representing business groups argue that the bill
imposes onerous and unneeded data management mandates that would
be ineffective, counterproductive, wasteful and confusing.
SUMMARY : Enhances privacy protections for sensitive personal
information. Specifically, this bill :
1)Provides that a person or business that sells goods or
services to any resident of California and accepts as payment
�
AB 1710
Page 2
a credit card, debit card, or other payment device shall not
store payment-related data, as defined, unless the person or
business has and complies with a payment data retention and
disposal policy that limits the amount and time that
payment-related data is retained to that required for
business, legal, or regulatory purposes.
2)Provides that such a person or business may not store
sensitive authentication data subsequent to an authorization.
3)Prohibits storage of the following data elements: payment
verification code; payment verification value; PIN
verification value.
4)Prohibits retention of the primary account number unless
retained in a manner consistent with the other specified
requirements and in a form that is unreadable and unusable by
unauthorized persons anywhere it is stored.
5)Prohibits sending payment-related data over open public
networks unless the data is encrypted using strong
cryptography and security protocols or otherwise rendered
indecipherable.
6)Requires that such a person or business limit access to
payment-related data to only those individuals whose job
requires that access.
7)Exempts from the foregoing any person or business subject to
Sections 6801 to 6809, inclusive, of Title 15 of the United
States Code and state or federal statutes or regulations
implementing those sections, if the person or business is
subject to compliance oversight by a state or federal
regulatory agency with respect to those sections.
8)Provides that nothing in the foregoing shall prohibit a person
or business that sells goods or services to any California
resident and accepts as payment a credit card, debit card, or
other payment device from storing payment-related data for the
sole purpose of processing ongoing or recurring payments,
provided that the payment-related data is maintained in
accordance with these requirements.
9)Provides that a person or business subject to the foregoing
shall be liable for the reimbursement of all reasonable and
�
AB 1710
Page 3
actual costs of providing notice pursuant to subdivision (a)
of Section 1798.82 and for the reasonable and actual cost of
card replacement as a result of a breach described in that
section, to the owner or licensee of the information.
10)Provides that existing personal information data security
obligations apply to businesses that maintain personal
information, in addition to those who own or license the
information.
11)Provides that the existing exemption from data breach
notification requirements for encrypted data would require the
data to be encrypted in conformance with the National
Institute of Standards and Technology, Federal Information
Processing Standards Publication 197, as amended from time to
time.
12)In the event of a breach, provides that in addition to
notifying the owner or licensee of the data, the person or
business that maintains the data shall notify persons affected
by the breach, at the same time that notice is given to the
owner or licensee, by United States mail if the person or
business has a mailing address for the subject persons or
email notice if the person or business has an email address
for the subject persons. If the subject persons cannot be
notified by mail or email, the person or business shall
provide notice by the following methods: (A) Conspicuous
posting of the notice on the Internet Web site page of the
person or business, if the person or business maintains an
Internet Web site page, for at least 30 days; (B) Notification
to major statewide media.
13)Provides that if the person or business providing the
notification was the source of the breach, an offer to provide
appropriate identity theft prevention and mitigation services,
if any, shall be provided at no cost to the affected person
for not less than 24 months, along with all information
necessary to take advantage of the offer to any person whose
information was or may have been breached if the breach
exposed or may have exposed two kinds of personal information:
social security numbers and driver's license numbers.
14)Provides that a person or entity may not sell, advertise for
sale, or offer to sell an individual's social security number
except where the social security number is incidental to the
�
AB 1710
Page 4
transaction.
EXISTING LAW :
1)Provides that a business that owns or licenses personal
information about a California resident shall implement and
maintain reasonable security procedures and practices
appropriate to the nature of the information, to protect the
personal information from unauthorized access, destruction,
use, modification, or disclosure. Further provides that a
business that discloses personal information about a
California resident pursuant to a contract with a
nonaffiliated third party shall require by contract that the
third party implement and maintain reasonable security
procedures and practices appropriate to the nature of the
information, to protect the personal information from
unauthorized access, destruction, use, modification, or
disclosure.
2)Requires any person or business that conducts business in
California, and that owns or licenses computerized data that
includes personal information to disclose any breach of the
data to any resident of California whose unencrypted personal
information was, or is reasonably believed to have been,
acquired by an unauthorized person. Requires any person or
business that maintains, but does not own, personal
information to notify the owner or licensor of the data of any
breach. Provides further that disclosure shall be made in the
most expedient time possible and without unreasonable delay.
(Civil Code Section 1798.82.)
3)Prohibits retailers from requesting or requiring as a
condition to accepting a credit card as payment, any personal
identification information related to the cardholder.
Authorizes a person or entity that accepts credit cards to
require, as a condition of accepting the card, that the
cardholder provide reasonable forms of identification,
including but not limited to a driver's license or state
identification card, provided that the identification is not
written or recorded. (Civil Code Section 1747.08.)
4)Prohibits a person or entity from publicly posting or publicly
displaying a person's social security number (SSN). Defines
"publicly post" or "publicly display" to mean intentionally
communicating or otherwise making available to the general
�
AB 1710
Page 5
public. (Civil Code Section 1798.85(a)(1).)
5)Prohibits a person or entity from doing certain things that
might compromise an individual's SSN, including printing a SSN
on any card required to access goods or services; requiring a
person to transmit a SSN over the Internet without a secure
connection or encryption; requiring a person to use his or her
SSN to access an Internet website, except as specified; or
printing an individual's SSN on any materials that are mailed
to the individual, unless the SSN is required to be on the
mailed document by state or federal law. (Civil Code Section
1798.85(a)(2)-(5).)
FISCAL EFFECT : As currently in print this bill is keyed
non-fiscal.
COMMENTS : The authors explain that this bill is the result of a
joint oversight hearing of this Committee and the Committee on
Banking and Finance regarding the massive recent consumer
information data breaches by Target, Neiman Marcus and other
retailers. To provide better protections and incentives for
data security, the bill has six elements:
Retail payment data retention and storage limitations.
Reasonable security procedures and practices for
businesses that maintain personal information in light of
the nature of the information.
Appropriate encryption standards in order to warrant an
exemption from existing data breach notification law.
Direct notification to consumers when a business that
maintains personal information is the source of a data
breach.
An offer to provide appropriate identity theft
prevention and mitigation services, if any, by the person
or business that was the source of a breach of social
security numbers and driver's license numbers.
Prohibition against the sale of social security numbers.
This Bill Renews Prior Efforts To Prevent Avoidable Loss of
Payment Card Information That Were Vetoed By Governor
�
AB 1710
Page 6
Schwarzenegger. Retail data breaches of sensitive personal
information continue to be a widespread and persistent problem,
as shown by the recent large incidents at Target and Neiman
Marcus stores involving the loss of over 110 million credit and
debit card numbers and other consumer records. According to a
Javelin Strategy and Research report, credit card fraud has
increased as much as 87 percent since 2010, culminating in
aggregate losses of $6 billion nationwide.
According to many analysts, future data breaches may be
inevitable. Sometimes these breaches are caused or exacerbated
by carelessness. According to the 2014 Verizon Data Breach
Investigations Report, two out of three breaches last year were
accomplished simply by logging in using lost or stolen
credentials. In other cases, companies are the victims of
sophisticated and elaborate attacks. In either case, however,
these breaches impose significant costs and risks for consumer
and financial services companies, among others.
In order to minimize the risk of harm, this bill requires that
businesses limit retention of payment data to the information
and duration needed to conduct the transaction, and encrypt the
data where it is sent over open public networks. In the event
of a breach, the business would be liable for the reimbursement
of all reasonable and actual costs of providing notice pursuant
by the owner or licensee of that information and for the
reasonable and actual cost of card replacement as a result of a
breach described in that section, to the owner or licensee of
the information.
Thus, the bill is substantially the same as two prior measures
that were enacted by Legislature but vetoed by Governor
Schwarzenegger in 2007 and 2008.
Reasonable Security Standards For Businesses That Maintain
Personal Information. Existing law requires a business that
owns or licenses personal information about a California
resident to implement and maintain reasonable security
procedures and practices appropriate to the nature of the
information and to protect the personal information from
unauthorized access, destruction, use, modification, or
disclosure. Inexplicably, the statute does not apply these same
reasonable security standards to businesses that maintain but do
not own or license personal information. This bill would close
this loophole by extending these provisions to businesses that
�
AB 1710
Page 7
maintain personal information about a California resident.
Improved Data Breach Notification. Under existing law,
businesses that own, license or maintain computerized data that
includes personal information shall disclose a breach of the
security of the system following discovery or notification of
the breach to a resident of California whose unencrypted
personal information was, or is reasonably believed to have
been, acquired by an unauthorized person.
Tightened Encryption Exemption. The exemption for "encrypted"
information appears to be absolute. As long as the data is
encrypted in any fashion, however negligible, no notice is
required despite the potential vulnerability of the information
to decryption. When the data breach law was enacted years ago,
this broad "safe harbor" may have served to encourage businesses
who store consumer personal information to adopt any form of
encryption. Now however encryption standards have improved, and
this bill would instead require that the data be encrypted to a
reasonable standard specified by National Institute of Standards
and Technology. This is the standard recommended by the Attorney
General. (See California Department of Justice 2012 Date Breach
Report, available at http://oag.ca.gov/sites
/all/files/agweb/pdfs/privacy/2012data_breach_rpt.pdf.)
Faster and More Direct Notice to Persons Affected. In addition,
the bill seeks to speed and improve consumer notification when a
breach occurs by specifying that the person or business that
maintains the data shall notify persons affected by the breach
at the same time that notice is given to the owner or licensee.
This notice would be either by United States mail if the person
or business has a mailing address for the subject persons or
email notice if the person or business has an email address for
the subject persons. If the subject persons cannot be notified
by mail or email, the person or business shall provide notice by
the following methods: (A) conspicuous posting of the notice on
the Internet Web site page of the person or business, if the
person or business maintains an Internet Web site page, for at
least 30 days; (B) notification to major statewide media.
Appropriate Prevention and Mitigation. Lastly, the bill seeks
to protect consumers from the harms of identity theft that
typically flow from a breach of the most sensitive personal
information - social security numbers and driver's license
numbers. Under existing law, a business that loses control of
�
AB 1710
Page 8
this information is required to do no more than notify the
affected consumers, placing all costs and responsibility on the
innocent consumers to protect themselves. In the interest of
consumer relations, many companies voluntarily do more, such as
offering credit monitoring and other services. Nevertheless, no
preventive or mitigating steps are currently required. Under
this measure, the person that was the source of the breach would
be required to offer appropriate identity theft prevention and
mitigation services, if any are available, at no cost to the
affected person for not less than 24 months, along with all
information necessary to take advantage of the offer to any
person whose information was or may have been breached if the
breach exposed or may have exposed two kinds of personal
information: social security numbers and driver's license
numbers.
New Protections Against Sale of Social Security Numbers.
Existing law regulates the publication and dissemination of
social security numbers in myriad ways. Perhaps surprisingly,
however, the outright sale of social security numbers is not
prohibited.
In response to growing concerns about identity theft, the
Individual Reference Services Group (IRSG) was established in
the 1990's as a self-regulatory mechanism for the industry.
Composed of companies specializing in identification and
location services, the IRSG in conjunction with the Federal
Trade Commission developed a comprehensive set of
self-regulatory principles backed by audits and government
enforcement. These principles however allowed the sale of
Social Security numbers without the knowledge and permission of
the data subject, in a tiered system of standards contingent on
how the numbers were acquired. The IRSG dissolved shortly after
passage of the federal Gramm-Leach-Bliley Act in 1999, but many
data brokers continue to conform to the group's principles.
In October 2013, according to a report from Krebs Security, the
credit reporting bureau Experian reportedly sold SSNs through
its subsidiary, Court Ventures, to Hieu Minh Ngo, who allegedly
operated an identity theft service called SuperGet.info. Though
many credit reporting bureaus such as Experian hold sensitive
information, they often sell that information to third parties
that offer services such as fraud prevention. According to
Krebs, Ngo posed as a US-based private investigator to gain
access to individuals' SSN data.
�
AB 1710
Page 9
This bill would close this apparent loophole by expressly
prohibiting a person or entity from selling, advertising for
sale, or offering to sell an individual's social security number
except where the social security number is incidental to the
transaction.
ARGUMENTS IN SUPPORT : Privacy Rights Clearinghouse (PRC) writes
that the bill would make important updates to California's
landmark data breach law:
California was the first state to enact a data breach
notice law in 2003. ? Following California's lead, a
majority of the states have enacted laws requiring that
individuals be notified when a security breach compromises
personal information. And many of those states have added
important provisions to strengthen their respective laws
vis-a-vis the California law. At the same time,
California's law has not kept up with such provisions.
AB 1710 addresses these shortcomings by expanding the law
to: cover breaches involving non-computerized (paper)
records; cover breaches involving encrypted data; provide
[direct] notification period for data breach notices; cover
entities that "maintain" but do not "own" or "license"
data; require that 24 months of appropriate identity theft
and mitigation services be provided to breach victims.
AB 1710 would also prohibit the sale of SSNs, establish
security practices for entities accepting payment cards and
devices, and establish liability for the cost of payment
card replacement resulting from a breach.
PRC's Chronology of Data Breaches
(https://www.privacyrights.org/data-breach) documents over
4,200 data breaches since 2005, which have resulted in over
864 million breached records. The crimes of identity theft
and payment card fraud are not going away. California
needs to continue to be proactive in order to protect the
privacy and security of its residents. Expanding
California's landmark security breach law as envisioned by
AB 1710 would represent critical steps in the right
direction
The Consumer Federation of California adds:
�
AB 1710
Page 10
AB 1710 would militate against identity theft by
restricting the retention of sensitive personal information
by businesses, and strengthen our breach notice law to
require timely notice when private consumer information may
have fallen into the wrong hands.
Privacy Rights Clearinghouse estimates 255,000,000 breached
records with personally identifiable information in 2013
alone. Exacerbating this threat, businesses intent on ever
more invasive marketing develop dossiers on all Americans,
but fail to institute adequately secure the data in their
possession.
AB 1710 addresses several sources that contribute to the
data breach epidemic. Simply put, data cannot be exposed in
a breach if that data is not retained in the first place.
The bill limits the storage of personal information beyond
the period needed to complete the transaction or for legal
compliance purposes. It prohibits merchants from storing
sensitive payment card information, after the authorization
is approved. It prohibits businesses from storing data
that can trigger identity theft, including a driver's
license number, social security number, and pin number, and
it prohibits the transmission of unencrypted personal
payment data over a public network.
AB 1710 also requires timely notice by the business that
was the source of the breach. Consumer privacy should never
take a back seat to the profit motive as appears to have
happened in a recent major breach. News reports suggest
that Neiman Marcus delayed issuing notice of a December
2013 breach involving over one million credit cards until
after the end of the Christmas shopping season. Withholding
the notice deprived consumers of information that might
have led them to take preventative measures such as the
placement of a credit freeze on their credit report before
the damage is done.
ARGUMENTS IN OPPOSITION : A coalition of business interests has
expressed opposition to the bill prior to recent amendments,
stating in relevant part:
AB 1710 ? imposes onerous and unneeded data management
mandates and creates new financial liabilities for
�
AB 1710
Page 11
non-governmental entities that take payment cards (credit
and debit cards) or other payment devices. If enacted, AB
1710 would be ineffective and in some ways
counterproductive to improving data security in California
- it would increase fraud, waste resources that would be
better spent on security, and would result in
over-notification that would ultimately confuse California
consumers.
AB 1710 would institute a laundry list of conflicting
security requirements on businesses that sell goods and
services to California residents, while totally exempting
government entities. Government entities are as likely or
more likely as private sector businesses to suffer security
breaches, so there is no valid reason for this exemption.
Further, the bill would legislate over and likely replace
the well-established Payment Card Industry (PCI) Data
Security Standard, placing elements of the standard into
statute. By sharp contrast, the PCI data security standard
evolves over time to meet security threats, requiring
flexibility to ensure innovative methods are employed to
combat data breaches and protect consumers' personal
information.
Fraud would increase in California under AB 1710. The bill
arbitrarily bans retention of a wide range of data elements
by entities that accept payment cards and need that
information to reduce fraud and avoid other harms. For
example, car rental companies would be banned from keeping
drivers' license information or storing a credit card
number after a user rents a car, and trucking companies
would be banned from retaining employee drivers' licenses.
The result would be significant increases in fraud in the
State and would make it more difficult to identify and
detect drivers who cause hit and run traffic accidents
while driving rental cars. In fact, any business that
accepts credit cards would be prohibited from keeping their
employees' Social Security numbers.
Prior Related Legislation : AB 1656 (Jones) of 2008 and AB 779
(Jones) of 2007 were similar measures vetoed by Gov.
Schwarzenegger.
REGISTERED SUPPORT / OPPOSITION :
�
AB 1710
Page 12
Support
ACLU of California
Consumer Attorneys of California
Consumer Federation of California
Consumer Watchdog
Privacy Rights Clearinghouse
Opposition (prior to proposed amendments)
California Chamber of Commerce
American Insurance Association
Association of California Life & Health Insurance Companies
Association of California Insurance Companies
California Association of Collectors, Inc.
California Bankers Association
California Grocers Association
California Hotel and Lodging Association
California Manufacturers and Technology Association
California Medical Association
California Restaurant Association
California Retailers Association
California Travel Association
Consumer Data Industry Association
CTIA The Wireless Association
Direct Marketing Association
Internet Coalition
Motion Picture Association of America
Personal Insurance Federation of California
State Privacy and Security Coalition
TechAmerica
TechNet
The Internet Association
Analysis Prepared by : Kevin G. Baker and Vignesh Ganapathy /
JUD. / (916) 319-2334