California Bill Would Impose Massive Liability for Data Breaches

heartbleedIn response to the many recent high-profile date breaches and exposed vulnerabilities, including those involving the “Heartbleed” bug and Target, the California legislature is considering a bill that would hold businesses operating in the state responsible for following strict data retention requirements.

The bill would also impose severe penalties for violations.

The Legislative Counsel’s Digest for AB 1710, which is still in committee, notes that

Existing law requires a person or business conducting business in California that owns or licenses computerized data that includes personal information, as defined, to disclose, as specified, a breach of the security of the system or data following discovery or notification of the security breach to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

The new law would require a person or business that was the source of a breach to provide “appropriate identity theft prevention and mitigation services to the affected person at no cost for not less than 24 months if the breach exposed or may have exposed specified personal information.”

The bill would prohibit any person or business that sells goods or services to California and accepts credit or debit cards from

storing, retaining, sending, or failing to limit access to payment-related data, as defined, retaining a primary account number, or storing sensitive authentication data subsequent to an authorization, as specified, unless a specified exception applies.

The bill would shift the cost of notifying consumers of breaches from credit and debit card companies to the businesses that are the sources of the breaches.

Violators would be subject to civil penalties of up to $500 per violation or $3,000 per willful, intentional, or reckless violations.

In a case like the Target breach, that could add up to liability in excess of $50 billion – or six times that amount if the company was considered “reckless.”

Business and industry groups, not surprisingly, oppose the bill.

We think that opposition is short-sighted.  Instead of complaining about the rain, they should get busy building their arks.

Clearly, consumers are fed up with having their data stolen.  Politicians are going to bow to the popular will and punish data breaches with increasingly harsh penalties until businesses finally use technical solutions that make personal data truly secure.

One problem with this law is that it may have “unintended consequences.”  Instead of instead of three out of five data breeches not being reported, it will become five out of five.  Corporate America will deal with the problem by covering it up, further hindering efforts to slow the data thieves.

That’s why PACid is working to make BoSS an industry standard for data security.


Tagged with: ,