Since the major data breach hit Target customers in mid-December 2013, there have been a lot of talks about whether or not retail companies are protecting consumer information in the best way. About 40 million individuals’ credit or debit card account information may have been compromised by the Target breach. Customer names, mailing addresses, phone numbers and e-mail addresses were also taken during the hack.
Earlier this April, bill AB 1710 was introduced by assembly members Roger Dickinson (D-Sacramento) and Bob Wieckowski (D-Fremont) in an attempt to combat data breaches such as the one Target experienced in 2013.
The Act “will greatly increase consumer protection from data breaches,” said Paul Stephens of the Privacy Rights Clearinghouse. “…The changes in this bill do some important things such as expand the law to include paper records. For example, when a business throws out records with sensitive information, such as social security numbers, that’s not covered under the current data breach law.”
Notification requirements to situations where data is encrypted are also included in the new measure. Stephens added that California law does not currently protect consumers from encrypted data. Breached entities would also be required to provide either credit or identity monitoring services to victims, which further expands consumer data protection.
The piece of legislation also transfers the responsibility for data breaches from banks and credit card companies onto the retail companies where the breach took place. This means retail businesses would be liable for financial losses. “Businesses tend to oppose any legislation that requires them to handle customer information in a more secure manner because that potentially does increase costs,” said Stephens.
Providing theft monitoring services and securely disposing of paper records with sensitive information are just a few examples of how the Act would incur extra costs on companies. “It costs more money to shred a sensitive document than to throw it in a dumpster,” added Stephens.
Moreover, AB 1710 would not only protect consumers, but it will also protect businesses, said Dickinson in a statement. He added that if retail companies do not store consumer data, other than the information they need to conduct transactions, businesses will be less vulnerable to a breach, thus protecting their business as well as their customers.
The sale of a person’s social security number will also be prohibited under the bill. Businesses have a total of 15 days to notify customers if there has been a breach either by e-mail, posting the notice directly onto the retailer’s website, as well as through statewide media outlets. Identity theft monitoring services will also be free of charge to the consumer for no less than 24 months. The Assembly Judiciary Committee will hear the bill this month.
“[Consumers] can write to legislators and express the fact that they are concerned about not only identity theft, but having their personal, sensitive information exposed,” said Stephens. “…It’s a common sense solution to closing up some of the loopholes in the current law that essentially give business a free ride to be careless with consumers’ personal information.”