Under legislation recently proposed in California, retailers doing business in the state would be subject to enhanced data destruction requirements, and all businesses would be affected by new data breach notification requirements. In the wake of the TJX Companies data breach, which may have affected more than 46.2 million credit and debit cards, California Assemblyman Dave Jones introduced revised A.B. 779. That legislation reiterates that retailers are subject to the same data safeguard requirements as other businesses that maintain customer records or own or license personal information, while significantly truncating the period of time retailers may retain personal information of customers. The bill also would revise the data breach notification laws applicable to all businesses that own or license personal information.
Proposed Data Destruction Requirements for Retailers
California currently requires all businesses to comply with several statutory provisions related to data security and destruction. These provisions are contained in California Civil Code §§ 1798.80 – 1798.84 and concern three major topics: (1) destruction of customer records containing personal information; (2) the safeguarding of personal information; and (3) data breach notification. A.B. 779 incorporates the data privacy laws by reference and expressly applies them to retailers that “collect[] or maintain[] personal information for any purpose.”
Under the bill, retailers would be required to dispose of records that contain personal information within 90 days. Existing law, California Civil Code § 1798.81, provides general guidelines for records disposal for all businesses. Under the current statute, a “record” is anything on or through which information is recorded or preserved, including written or spoken words, graphic depiction or electronic transmission. “Personal information,” for purposes of this section, is:
any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information. “Records” does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, such as name, address, or telephone number.
California Civil Code § 1798.80 (emphasis added).
The destruction requirements proposed in A.B. 779 reach far beyond those set forth in § 1798.81. Existing law requires only that a business
take all reasonable steps to destroy, or arrange for the destruction of a customer’s records within its custody or control containing personal information which is no longer to be retained by the business by (1) shredding, (2) erasing, or (3) otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means.
Section 1 of A.B. 779, however, would require that “a retailer that sells goods or services to any resident of California . . . not retain personal information for longer than 90 days after the date of the original transaction, or the period of time during which goods may be returned for a refund or exchange, whichever is shorter.” (emphasis added). Thus, should A.B. 779 be passed into law, it will significantly impact retailers’ records retention and disposal policies and procedures with respect to personal information of customers.
Proposed New Data Breach Notification Requirements for All Businesses.
California Civil Code § 1798.82, the first-in-the-nation security breach notification law, currently requires all businesses that own or license personal information to notify individuals if their data have been, or may have been, acquired by an unauthorized person. Personal information is defined as the first name or initial and last name of an individual, with one or more of the following: 1) Social Security Number, 2) driver’s license number, 3) credit card or debit card number, or 4) a financial account number with information such as PINs, passwords or authorization codes that could gain access to the account.
A.B. 779 would amend California Civil Code § 1798.82 in three primary respects. First, it would require that the following information appear in breach notices:
(A) The date of the notice.
(B) The name of the person or business that maintained the computerized data at the time of the breach.
(C) The date on which the breach occurred.
(D) A description of the categories of personal information that were, or are reasonably believed to have been, acquired by an unauthorized person.
(E) A toll-free telephone number or, if the primary method used by the person or business to communicate with the individual is by electronic means, an electronic mail address that the individual may use to contact the person or business or their agent, so that the individual may learn what types of personal information the person or business maintained about that individual.
(F) The toll-free telephone numbers and addresses for the major credit reporting agencies.
Second, according to the text of the bill, owners or licensees of personal data would be entitled to reimbursement from a third party person or business that maintains the data and that is actually responsible for the breach, for the “reasonable and actual costs” of providing required breach notification. Data owners would remain responsible for providing notice. Third, companies providing notice must send a copy of the notice provided to consumers to the California Office of Privacy Protection. This requirement is similar to the laws of other states, including New York and New Jersey, that require notification to other governmental agencies.
A copy of A.B. 779 can be found here.