• California Bill Imposes Tough Data Retention Restrictions and Broad Liability for Customer Data Breaches
  • April 30, 2014 | Authors: Kenneth R. Florin; Ieuan Jolly; Michael L. Mallow; James D. Taylor
  • Law Firms: Loeb & Loeb LLP - New York Office ; Loeb & Loeb LLP - Los Angeles Office ; Loeb & Loeb LLP - New York Office
  • In response to the recent high-profile data breaches involving the personal and financial information of millions of consumers, California legislators have advanced a bill that would hold businesses doing business in California to exacting data retention requirements and would impose severe penalties for violations of the bill's data retention requirements. The bill (AB 1710), which is working its way through committee, would also hold businesses responsible for notifying customers of breaches, and it would shift the costs related to those breaches from credit and debit card companies to the business that is the source of the breach. The bill faces opposition from the state's retailers and other industry groups.

    The proposed legislation would amend existing California law to require that companies accepting payment by credit or debit card or another payment device would be prohibited from storing payment-related data unless the company complies with a strict data retention policy, as prescribed by statute and consistent with all state and federal regulations. Companies would be prohibited from storing sensitive payment-authentication data and from sending payment-related data over unencrypted networks. Violators would be subject to civil penalties of up to $500 per violation, or $3,000 for willful, intentional, or reckless violations - penalties that in the case of systemic noncompliance or security breaches could be multiplied to potentially enormous sums."

    The proposed law would also require businesses doing business in California that are the "source" of data breaches involving personal information to provide identity theft protection and mitigation services to customers whose personal information may have been exposed by the breach - at no cost to the consumer and for not less than 24 months. In situations where credit and debit card information is "hacked" on a business's payment system, the bill shifts the burden of notifying customers of the breach from banks and credit card issuers to the business that suffered the breach. Businesses would also be responsible for any expenses resulting from the data breach, including the cost of replacing credit and debit cards.

    While the bill remains subject to further amendments - and spirited resistance from industry groups - it reflects legislators' sharpened focus on holding retailers accountable for credit and debit card data breaches. In the absence of comprehensive federal data breach legislation, states have been taking the lead in the area of data privacy, and AB 1710 appears to be one of the more stringent pieces of legislation. With a growing patchwork of state policy laws, some carrying grave penalties for violations, companies need to make sure that they craft - and adhere to - data retention policies that comply with all applicable laws in all jurisdictions where they conduct business."