California Amends Data Breach Notification Law, Does Not Require Mandatory Offering of Credit Monitoring
California Governor Jerry Brown signed into law an amendment to California’s data breach notification law on Monday. Although at least one news outlet has reported that the law requires a company to offer credit monitoring services, this interpretation is misguided. Rather, the law only places restrictions on certain companies if they choose to offer identity theft prevention and mitigation services. In addition, the law also prohibits persons from selling (or advertising or offering to sell) any individual’s social security number, subject to certain exceptions. An Offer of Identity Theft Prevention and Mitigation Services is Not Required
In pertinent part, the amended law, Cal. Civ. Code § 1798.82(d)(2), provides:
The security breach notification shall include, at a minimum, the following information:
. . .
(G) If the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed personal information defined in subparagraphs (A) and (B) of paragraph (1) of subdivision (h). (emphasis added).
Here, the clause “if any” modifies the entire phrase “an offer to provide appropriate identity theft prevention and mitigation services.” Therefore, this provision only imposes requirements if identity theft prevention and mitigation services are actually offered. Specifically, if a business was the “source of the breach” and voluntarily offers identity theft prevention and mitigation services, then any offer of such services that the business actually makes (if any) must (1) be provided for free, (2) be offered for at least 12 months, and (3) contain all material information to take advantage of the offer. This provision does not apply to a business that offers such services when the business was not the “source of the breach.” In addition, the phrase “source of the breach” – an undefined term – likely raises more questions than answers.
It is worth noting that this provision in the bill, as initially represented in the March 28 draft, would have provided for the mandatory offering of identity theft prevention and mitigation services.[1] However, the bill was quickly amended, with the April 24 draft introducing the “if any” phrase and removing the mandatory offering requirement. The Legislative Counsel’s Digest for the chaptered bill does not take into account the change in meaning.[2] Although a California court may consider information contained in a Legislative Counsel Digest to determine legislative intent, the court is “not bound . . . by the misinformation delivered to the Legislature.” People v. Cruz, 13 Cal. 4th 764, 780 (1996).
Accordingly, businesses that voluntarily choose to provide credit monitoring or similar services probably will not be affected by this amendment – it is very common for companies offering credit monitoring or similar services not to charge for the offering, to offer the service for at least 12 months, and to include all material information to take advantage of the offer.
Companies May Not Sell (Or Advertise or Offer to Sell) An Individual’s Social Security Number
The new law also creates a new subsection (a)(6) in Cal. Civ. Code § 1798.85. Under this section, no person or entity may “[s]ell, advertise for sale, or offer to sell an individual’s social security number.” The law also specifically prohibits the release of an individual’s social security number for marketing purposes.
The exceptions to the restriction on selling social security numbers are: “if the release of the social security number is incidental to a larger transaction and is necessary to identify the individual in order to accomplish a legitimate business purpose” and “for a purpose specifically authorized or specifically allowed by federal or state law.”
[1] The March 28, 2014 version of the bill where this provision was introduced imposed a mandatory reporting obligation: “If the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, such as credit monitoring, shall be provided at no cost to the affected person for not less than 24 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed personal information defined in paragraph (1) of subdivision (h).”
[2] The Digest states: “This bill would require . . . that the person or business offer to provide appropriate identity theft prevention and mitigation services, if any, to the affected person at no cost for not less than 12 months if the breach exposed or may have exposed specified personal information.” The Digest recounts the meaning reflected in the initial draft of the bill – but not the version that was enacted and signed by the governor.