California Data Breach Notification Update Bill Passes State's Assembly

By Laura Mahoney

May 28 — A bill (A.B. 1710) to update the California data breach notification law to require retailers and other businesses to notify consumers of a breach at the same time they notify data owners passed the Assembly May 27.

A.B. 1710 by Assemblymen Roger Dickinson (D) and Bob Wieckowski (D) passed 43-25, with Democrats in favor and Republicans opposed. It now moves to the Senate for consideration.

Dickinson said before the floor vote that he expects to amend the bill as it moves through the Senate to address opposition from business groups. The California Retailers Association, California Bankers Association and the Internet Association are opposed to the bill.

“We have addressed the main concerns, but we also know there are some remaining that we continue to work on,” Dickinson said. “I believe that they are eminently solvable.”

The bill would provide a safe harbor from breach notification requirements if personal information is encrypted, according to Dickinson. But the type of encryption is a sticking point that could be the topic of amendments in the Senate, industry groups told the committee in early May when the Assembly Banking & Finance Committee approved the measure.

NIST Encryption Standard

The current breach notification law says consumer notification isn't required if the data were encrypted. Under the bill, the safe harbor would apply if the data were encrypted “in conformance with the Advanced Encryption Standard of the National Institute of Standards and Technology, Federal Information Processing Standards Publication 197, as amended from time to time.”

A.B. 1710 also would require entities that maintain personal information—in addition to those that own or license it—to send consumer data breach notifications, and it would add a prohibition on the sale of Social Security numbers to current law.

The bill has support from Privacy Rights Clearinghouse, the American Civil Liberties Union and the Consumer Federation of California.

A.B. 1710 was amended May 5 to remove sections that would have held businesses liable for breach notification and card replacement costs and limited the retention of consumer and payment-related data.

Dickinson and Wieckowski accepted the amendments at the committee hearing, one month after introducing the broad language of the bill.

To contact the reporter on this story: Laura Mahoney in Sacramento, Calif., at

To contact the editor responsible for this story: Katie W. Johnson at

Full text of A.B. 1710, as amended in the Assembly, is available at