BILL ANALYSIS Ó AB 1710 Page 1 Date of Hearing: May 5, 2014 ASSEMBLY COMMITTEE ON BANKING AND FINANCE Roger Dickinson, Chair AB 1710 (Dickinson & Wieckowski) - As Amended: April 24, 2014 SUBJECT : Personal information: privacy. SUMMARY : Enhances privacy protections for sensitive personal information. Specifically, this bill : 1)Provides that a person or business that sells goods or services to any resident of California and accepts as payment a credit card, debit card, or other payment device shall not store payment-related data, as defined, unless the person or business has and complies with a payment data retention and disposal policy that limits the amount and time that payment-related data is retained to only the amount and time required for business, legal, or regulatory purposes. 2)Provides that a person or business may not store sensitive authentication data subsequent to an authorization. 3)Prohibits storage of the following data elements: payment verification code; payment verification value; PIN verification value. 4)Prohibits retention of the primary account number unless retained in a manner consistent with the other specified requirements and in a form that is unreadable and unusable by unauthorized persons anywhere it is stored. 5)Prohibits sending payment-related data over open public networks unless the data is encrypted using strong cryptography and security protocols or otherwise rendered indecipherable. 6)Requires a person or business to limit access to payment-related data to only those individuals whose job requires that access. 7)Exempts from the foregoing any person or business subject to Sections 6801 to 6809, inclusive, of Title 15 of the United States Code (Gramm Leach Bliley Act related to personal information) and state or federal statutes or regulations AB 1710 Page 2 implementing those sections, if the person or business is subject to compliance oversight by a state or federal regulatory agency with respect to those sections. 8)Provides that nothing in the foregoing shall prohibit a person or business that sells goods or services to any California resident and accepts as payment a credit card, debit card, or other payment device from storing payment-related data for the sole purpose of processing ongoing or recurring payments, provided that the payment-related data is maintained in accordance with these requirements. 9)Provides that a person or business subject to the foregoing shall be liable for the reimbursement of all reasonable and actual costs of providing a notice pursuant to subdivision (a) of Section 1798.82 and for the reasonable and actual costs of card replacement as a result of a breach, to the owner or licensee of the information. a) If the person or business demonstrates compliance with #1-6 above at the time of the breach of security then the person or business may be excused from liability in regards to reimbursement. 10)Provides that existing personal information data security obligations apply to businesses that maintain personal information, in addition to those who own or license the information. 11)Defines "maintain" as personal information that a business maintains but does not own or license. 12)Provides that if a person or business owns or licenses computerized data in conformance with the Advanced Encryption Standard of the National Institute of Standards and Technology, Federal Information Processing Standards Publication 197, amended from time to time, then that person or business is not required to disclose a security breach of personal information. 13)Provides that in the event of a breach, in addition to notifying the owner or licensee of the data, the person or business that maintains the data shall notify persons affected by the breach, at the same time that notice is given to the owner or licensee, by United States mail if the person or AB 1710 Page 3 business has a mailing address for the subject persons or email notice if the person or business has an email address for the subject persons. If the subject persons cannot be notified by mail or email, the person or business shall provide notice by the following methods: a) Conspicuous posting of the notice on the Internet Web site page of the person or business, if the person or business maintains an Internet Web site page, for at least 30 days; and, b) Notification to major statewide media. 14)Provides that if the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 24 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed two kinds of personal information: a) Social security numbers (SSNs); and, b) Driver's license numbers. 15)Provides that a person or entity may not sell, advertise for sale, or offer to sell an individual's SSN except where the SSN is incidental to the transaction. a) Provides that in addition to other available remedies for a violation, a public prosecutor may bring an action to recover a civil penalty not to exceed $500 per violation. EXISTING LAW : 1)Provides that a business that owns or licenses personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Further provides that a business that discloses personal information about a California resident pursuant to a contract with a AB 1710 Page 4 nonaffiliated third party shall require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. 2)Requires any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information to disclose any breach of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been acquired by an unauthorized person. Requires any person or business that maintains, but does not own, personal information to notify the owner or licensor of the data of any breach. Provides further that disclosure shall be made in the most expedient time possible and without unreasonable delay. [Civil Code, Section 1798.82] 3)Prohibits retailers from requesting or requiring as a condition to accepting a credit card as payment, any personal identification information related to the cardholder. Authorizes a person or entity that accepts credit cards to require, as a condition of accepting the card that the cardholder provides reasonable forms of identification, including but not limited to a driver's license or state identification card, provided that the identification is not written or recorded. [Civil Code, Section 1747.08] 4)Prohibits a person or entity from publicly posting or publicly displaying a person's SSN. Defines "publicly post" or "publicly display" to mean intentionally communicating or otherwise making available to the general public. [Civil Code Section 1798.85(a) (1)] 5)Prohibits a person or entity from doing certain things that might compromise an individual's SSN, including printing a SSN on any card required to access goods or services; requiring a person to transmit a SSN over the Internet without a secure connection or encryption; requiring a person to use his or her SSN to access an Internet website, except as specified; or printing an individual's SSN on any materials that are mailed to the individual, unless the SSN is required to be on the mailed document by state or federal law. [Civil Code Section 1798.85(a) (2)-(5)] AB 1710 Page 5 FISCAL EFFECT : None. COMMENTS : AB 1710 stems from the recent mega data breaches affecting specified retailers. Following these mega data breaches, the Assembly Banking and Finance Committee and the Assembly Judiciary Committee held an oversight hearing to discuss the current process for data breaches and how California can improve this process, titled, "Is Our Personal Data Really Safe and Secure: A Review of the Recent Data Breaches." AB 1710 addresses the issues raised at this hearing and reflects the areas of law that need clarification. The recent examples of mega data breaches emphasized the importance of disclosure and accountability. All too often, data breaches happen and consumers receive a notice in the mail from a financial institution stating their personal information may have been breached. The consumer is not made aware where the personal information was compromised and might interpret the letter to believe the breach occurred at the financial institution. Under existing law, financial institutions are considered the owners of personal information and therefore must provide the notification, although the breach most often did not occur at a bank or credit union. AB 1710 will provide clarity to consumers because it will require the maintainers of personal information which could be a retailer to disclose to a consumer that a breach occurred and their personal information may have been breached. This allows a consumer to: 1) be proactive by contacting their financial institution and/or credit reporting agency; and, 2) have the option to not shop at a retail establishment that may not maintain personal information in a safe and secure manner. Data Storage Sections 1 and 2 of AB 1710, closely mirrors two previous bills that went through the legislative process. AB 779 (Jones, 2007 Legislative Year) and AB 1656 (Jones, 2008 Legislative Year) which made it to the Governor's desk (Former Governor Schwarzenegger) and vetoed. The contents of Section 1 are framed after the well-known industry standard referred to as the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a proprietary information security standard for organizations that handle cardholder information defined by the AB 1710 Page 6 Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure through 12 requirements. Although the PCI DSS must be implemented by all entities that process, store or transmit cardholder data, formal validation of PCI DSS compliance is not mandatory for all entities. Currently both Visa and MasterCard require merchants and service providers to be validated according to the PCI DSS. Smaller merchants and service providers are not required to explicitly validate compliance with each of the controls prescribed by the PCI DSS although these organizations must still implement all controls in order to maintain safe harbor and avoid potential liability in the event of fraud associated with theft of cardholder data. A key component of PCI DSS is that organizations do not store sensitive payment cardholder information that is contained in the magnetic strip of the card. If information from the front side of the card is stored in some form, PCI DSS requires that information be protected via encryption. According to the background report created by the Assembly Banking and Finance Committee for the oversight hearing referenced above, a report on PCI compliance, Verizon 2014 PCI Compliance Report, reported that 56% of U.S. businesses do not meet minimum compliance with overall PCI standards. Delving further into specific areas only 17% complied with security monitoring requirements that require detection and response when data has been breached. Furthermore, 24% were compliance with security testing requirements and 56% met standards for protecting stored sensitive data. Limiting access to personal cardholder information is described in the report as one of the "golden rules" of security, but, 71% of the organizations in Verizon's PCI compliance index failed to adequately control access to cardholder data to the level required to be PCI compliant. Retail data breaches of sensitive personal information continue to be a widespread and persistent problem, as shown by the recent large incidents involving the loss of over 110 million credit and debit card numbers and other consumer records. According to a Javelin Strategy and Research report, credit card fraud has increased as much as 87% since 2010, culminating in aggregate losses of $6 billion nationwide. According to many analysts, future data breaches may be AB 1710 Page 7 inevitable. Sometimes these breaches are caused or exacerbated by carelessness. According to the 2014 Verizon Data Breach Investigations Report, two out of three breaches last year were accomplished simply by logging in using lost or stolen credentials. In other cases, companies are the victims of sophisticated and elaborate attacks. In either case, however, these breaches impose significant costs and risks for consumer and financial services companies, among others. In order to minimize the risk of harm, this bill requires that businesses limit retention of payment data to the information and duration needed to conduct the transaction, and encrypt the data where it is sent over open public networks. In the event of a breach, the business would be liable for the reimbursement of all reasonable and actual costs of providing notice pursuant by the owner or licensee of that information and for the reasonable and actual cost of card replacement as a result of a breach described in that section, to the owner or licensee of the information. AB 1710 does have a provision that states if the person or business has complied with all the data storage requirements at the time of the security breach then they would not be liable for reimbursement costs. Data Breach Notification Existing law requires a business that owns or licenses personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information and to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Inexplicably, the statute does not apply these same reasonable security standards to businesses that maintain but do not own or license personal information. This bill would close this loophole by extending these provisions to businesses that maintain personal information about a California resident. Under existing law, businesses that own, license or maintain computerized data that includes personal information shall disclose a breach of the security of the system following discovery or notification of the breach to a resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. AB 1710 Page 8 The exemption for "encrypted" information appears to be absolute. As long as the data is encrypted in any fashion, however negligible, no notice is required despite the potential vulnerability of the information to decryption. When the data breach law was enacted years ago, this broad "safe harbor" may have served to encourage businesses who store consumer personal information to adopt any form of encryption. Now however encryption standards have improved and this bill would instead require that the data be encrypted to a reasonable standard specified by National Institute of Standards and Technology. This is the standard recommended by the Attorney General. (See California Department of Justice 2012 Date Breach Report, available at http://oag.ca.gov/sites /all/files/agweb/pdfs/privacy/2012data_breach_rpt.pdf .) If a person or business that owns personal information has this standard, the person or business does not have to provide notification. In addition, the bill seeks to speed and improve consumer notification when a breach occurs by specifying that the person or business that maintains the data shall notify persons affected by the breach at the same time that notice is given to the owner or licensee. This notice would be either by United States mail if the person or business has a mailing address for the subject persons or email notice if the person or business has an email address for the subject persons. If the subject persons cannot be notified by mail or email, the person or business shall provide notice by the following methods: (A) conspicuous posting of the notice on the Internet Web site page of the person or business, if the person or business maintains an Internet Web site page, for at least 30 days; and, (B) notification to major statewide media. In addition, AB 1710 seeks to protect consumers from the harms of identity theft that typically flow from a breach of the most sensitive personal information - SSNs and driver's license numbers. Under existing law, a business that suffers a breach of this information is required to do no more than notify the affected consumers, placing all costs and responsibility on the innocent consumers to protect themselves. In the interest of consumer relations, many companies voluntarily do more, such as offering credit monitoring and other services. Nevertheless, no preventive or mitigating steps are currently required. Under this measure, the person that was the source of the breach would be required to offer appropriate identity theft prevention and AB 1710 Page 9 mitigation services, if any are available, at no cost to the affected person for not less than 24 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed two kinds of personal information: SSNs and driver's license numbers. SSNs Existing law regulates the publication and dissemination of SSNs in myriad ways. Perhaps surprisingly, however, the outright sale of SSNs is not prohibited. In response to growing concerns about identity theft, the Individual Reference Services Group (IRSG) was established in the 1990's as a self-regulatory mechanism for the industry. Composed of companies specializing in identification and location services, the IRSG in conjunction with the Federal Trade Commission developed a comprehensive set of self-regulatory principles backed by audits and government enforcement. These principles however allowed the sale of SSNs without the knowledge and permission of the data subject, in a tiered system of standards contingent on how the numbers were acquired. The IRSG dissolved shortly after passage of the federal Gramm-Leach-Bliley Act in 1999, but many data brokers continue to conform to the group's principles. This bill would close this apparent loophole by expressly prohibiting a person or entity from selling, advertising for sale, or offering to sell an individual's SSN except where the SSN is incidental to the transaction. Previous Legislation AB 1656 (Jones, 2008 Legislative Year) would have prohibited specified entities that sell goods or services from storing or failing to limit access to payment related information unless a specified exception applies. Vetoed by Governor Arnold Schwarzenegger. AB 779 (Jones, 2007 Legislative Year) would have, beginning July 1, 2008, established a set procedure to be adhered to by a person, business, or public agency that sells goods or services to any California resident, and accepts as payment a credit card, debit card, or other payment device. Vetoed by Governor AB 1710 Page 10 Arnold Schwarzenegger. Double Referral This measure was heard in Assembly Judiciary Committee and passed out with a 6-3 vote. Recommended Amendments This amendment clarifies that SSNs sold incidental to a larger transaction and necessary for a legitimate business purpose would not be captured under Section 6. The language referenced below was enacted in Minnesota. 1)On page 14, line 4 delete "except where the social security number is incidental to the transaction" 2)On page 14 line 5 insert: "(b) "sell" does not include the release of an individual's Social Security number if the release of the Social Security number is incidental to a larger transaction and is necessary to identify the individual in order to accomplish a legitimate business purpose. The release of a Social Security number for the purpose of marketing is not a legitimate business purpose under this section." This amendment deletes the civil penalty provision created for the sale of SSNs. Existing penalties seem to be sufficient. 3)On page 16, delete lines 24-28 REGISTERED SUPPORT / OPPOSITION : Support American Civil Liberties Union (ACLU) Consumer Attorneys of California Consumer Federation of California (CFC) Consumer Watchdog Privacy Rights Clearinghouse (PRC) 1 Individual Opposition California Association of Licensed Investigators California Bankers Association AB 1710 Page 11 California Chamber of Commerce California Hospital Association California Manufacturers & Technology Association California Medical Association (CMA) California Restaurant Association California Retailers Association CTIA The Wireless Association Direct Marketing Association MasterCard Motion Picture Association of America Reed Elsevier State Privacy and Security Coalition, Inc. TechAmerica The Internet Association Analysis Prepared by : Kathleen O'Malley / B. & F. / (916) 319-3081