The following update was prepared by Jim Alexander, an associate in Gibson Dunn’s Palo Alto office.
California’s data privacy laws frequently find their way into the laws of other states and the playbooks of federal regulators. Accordingly, retailers doing business both within and beyond the Golden State should take note of Assembly Bill 1710, a proposed amendment to California’s customer records statute (Cal. Civ. Code § 1798.80 et seq.). If enacted, this bill would, in addition to limiting the types of consumer data that retailers can maintain, increase the potential costs of a data breach for retailers. AB 1710 is especially notable in at least two respects: the new financial burdens and civil penalties it would levy on retailers, and the bill’s rigid 15-day notification rule.
Stiff Penalties for Retailers
AB 1710 would increase the financial exposure of retailers and other businesses that have suffered a data breach. Specifically, it would (1) require the retailer to provide 24 months of credit monitoring services to affected consumers, (2) authorize a public prosecutor to pursue civil penalties for violations of California’s customer records statute in the amount of $500 for each violation or $3,000 for each willful, intentional, or reckless violation, and (3) hold the retailer liable for the costs of providing notice and replacing the payment cards of affected consumers.
The last provision, in particular, has teed up a legislative battle between retailers and banks. Banks currently bear the burden of replacing affected consumers’ payment cards, and AB 1710’s sponsors—Assemblymember Roger Dickinson (D-Sacramento) and Assemblymember Bob Wieckowski (D-Fremont)—argue that a retailer suffering a breach should not be allowed to pass on costs to banks.
Those sorts of costs are small, however, when compared with the devastating potential impact of a $500 or $3,000 civil penalty if it were multiplied by thousands or millions of discrete violations often at issue in a large-scale data breach. In contrast to the targeted civil penalties authorized by the current customer records statute, the broad new civil penalties proposed in AB 1710 could be read to apply to violations of the general obligation to maintain “reasonable security procedures and practices.”
Rigid 15-Day Notice Requirement
A second particularly notable feature of AB 1710 is that it proposes a bright-line rule for the disclosure of data breaches: persons affected by a breach shall be notified within 15 days, unless a law enforcement agency determines that notification will impede a criminal investigation. Notification must occur by email (if possible), by conspicuous posting on the company’s website, and by notification to major statewide media.
In recent debates about the pros and cons of bright-line data breach notification rules, some experts have pointed out that there is no standard model for a network security breach: attack vectors are often unique, and forensic investigation of a cyber-attack can be difficult and time-consuming. In many cases, it may be impossible to provide an accurate description of the breach incident by the mandated 15-day mark.
The bright-line approach proposed in the bill nevertheless values velocity over veracity: speedy disclosure would trump competing imperatives to accurately determine the cause and extent of the breach and enhance cyber-defenses prior to disclosure, and to avoid multiple, staggered notifications. Reminiscent of the color-coded terror threat advisories temporarily used after 9/11, the approach to notification proposed in AB 1710 may result in frequent early disclosures with little specificity—leading to overwrought and misdirected fears and, ultimately, data breach notification fatigue.