On September 30, 2014, California passed Assembly Bill 1710 which will create two major changes related to breaches involving the private data of California residents when it comes into effect on January 1, 2015.
First, the amended data breach law will expand the scope of the entities subject to the law. California’s existing data breach law requires entities that own or license personal information to implement and maintain security procedures to protect that information. Assembly Bill 1710 expands this requirement to include any entity that maintains personal information concerning a California resident. The amendment of the current law may include entities that store information on cloud servers. While the current version of the bill imposes notification requirements on entities that own or license personal information, the amended bill will not require an entity that maintains personal information to notify those individuals involved in a breach.
Second, the amended bill changes the obligations related to notification of a breach. Previously, an entity that owns or licenses private information was required to issue a notification of the breach. Under the amended bill, an entity that owns or licenses private information must “provide appropriate identity theft prevention and mitigation services, if any, to the affected person at no cost for not less than 12 months if the breach exposed or may have exposed specified personal information.”