California—the first State in the Union to pass a mandatory data breach notification statute—recently amended Cal. Civil Code section 1798.82 to attempt to clarify many disclosure and notification procedures to be undertaken in the wake of a data breach. On September 30, 2014, Governor Brown signed AB 1710 into law, specifying what disclosures must be made following a breach. Among other things, the new law requires that the notification of the breach be “written in plain language” and include certain, minimum information, set out in the statute.
The amended statute also adds sub-section (G), which reads:
(G) If the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed personal information defined in subparagraphs (A) and (B) of paragraph (1) of subdivision (h).
This language had proven confusing at first, with commentators initially interpreting it as requiring the offering of credit monitoring to all breach victims. However, subsequent review and analysis has held that the better view is that only if credit monitoring has been offered do the restrictions of subsection (G) apply.
The amended statute also exempts from its notice requirements businesses regulated by HIPAA, the HITECH Act, the California Financial Information Privacy Act, and any “…business regulated by state or federal law providing greater protection to personal information than that provided by this section. Compliance with that state or federal law shall be deemed compliance with this section with regard to those subjects.”