Skip to content

California Bill Imposes Tough Data Retention Restrictions and Broad Liability for Customer Data Breaches

In response to the recent high-profile data breaches involving the personal and financial information of millions of consumers, California legislators have advanced a bill that would hold businesses doing business in California to exacting data retention requirements and would impose severe penalties for violations of the bill's data retention requirements. The bill (AB 1710), which is working its way through committee, would also hold businesses responsible for notifying customers of breaches, and it would shift the costs related to those breaches from credit and debit card companies to the business that is the source of the breach. The bill faces opposition from the state's retailers and other industry groups.

The proposed legislation would amend existing California law to require that companies accepting payment by credit or debit card or another payment device would be prohibited from storing payment-related data unless the company complies with a strict data retention policy, as prescribed by statute and consistent with all state and federal regulations. Companies would be prohibited from storing sensitive payment-authentication data and from sending payment-related data over unencrypted networks. Violators would be subject to civil penalties of up to $500 per violation, or $3,000 for willful, intentional, or reckless violations - penalties that in the case of systemic noncompliance or security breaches could be multiplied to potentially enormous sums."

The proposed law would also require businesses doing business in California that are the "source" of data breaches involving personal information to provide identity theft protection and mitigation services to customers whose personal information may have been exposed by the breach - at no cost to the consumer and for not less than 24 months. In situations where credit and debit card information is "hacked" on a business's payment system, the bill shifts the burden of notifying customers of the breach from banks and credit card issuers to the business that suffered the breach. Businesses would also be responsible for any expenses resulting from the data breach, including the cost of replacing credit and debit cards.

While the bill remains subject to further amendments - and spirited resistance from industry groups - it reflects legislators' sharpened focus on holding retailers accountable for credit and debit card data breaches. In the absence of comprehensive federal data breach legislation, states have been taking the lead in the area of data privacy, and AB 1710 appears to be one of the more stringent pieces of legislation. With a growing patchwork of state policy laws, some carrying grave penalties for violations, companies need to make sure that they craft - and adhere to - data retention policies that comply with all applicable laws in all jurisdictions where they conduct business."

This client alert is a publication of Loeb & Loeb LLP and is intended to provide information on recent legal developments. This client alert does not create or continue an attorney client relationship nor should it be construed as legal advice or an opinion on specific situations.

Circular 230 Disclosure: To assure compliance with Treasury Department rules governing tax practice, we inform you that any advice (including in any attachment) (1) was not written and is not intended to be used, and cannot be used, for the purpose of avoiding any federal tax penalty that may be imposed on the taxpayer, and (2) may not be used in connection with promoting, marketing or recommending to another person any transaction or matter addressed herein.