California Governor Edmund Brown, Jr., signed proposed ID theft legislation into law on September 30th, marking a significant step in protecting citizens from data breaches and the resulting fraud. The bill, AB 1710, will take effect on the first day of the new year, and will go a long way towards helping consumers recover from large-scale data breaches.
Unfortunately, the original content of the bill wasn’t accepted in its entirety, but supporters say that the approved measures are a good first step. One of the provisions that did not make it to the governor’s desk include making breached businesses pay for the cost of issuing new credit cards to affected consumers, a cost that currently falls to the credit card companies. Another measure that was struck from the final piece of legislation would have required companies to delete much of the stored information that gets breached in these events, such as payment details, Social Security numbers, driver’s license numbers, and birthdates. Also, companies that gather and store that information were going to be required to notify affected consumers of a breach within fifteen days, as opposed to the ambiguous “timely manner” that current legislation requires; that measure also did not pass.
As an expert close to the bill explained, there are always a number of factors in any piece of legislation that get reduced before the final approval. A surprising number of organizations opposed the original, stronger content of the bill, including the state’s Chamber of Commerce and The Internet Association. Much of the reason for the opposition to the stronger terms stemmed from the fact that there are so many different industries involved in using consumers’ information that making broad, one-size-fits-all mandates for all of them would have been impossible.
There is some good news for California citizens, though, as some of the protections in the bill will make an impact on the outcomes of future data breaches. One of the first measures was a mandatory credit monitoring coverage for all consumers affected by a data breach in which information like Social Security numbers was accessed; this offer is usually extended by large corporations in the event of a breach as a show of good faith effort, but the new law will make it required for all companies. Also, the healthcare industry—a common source of identity theft and personally identifiable information loss—will be required to follow not just the existing HIPAA privacy regulations for data breaches, but also this new law.
While the new law may not have the same protective strength that the original creators and advocates had hoped, it is a good experimental move in helping ensure more protection for individuals who are devastated by identity theft. Hopefully, as the effects of the law are seen and understood, stronger safeguards can occur in the near future.