CA. Privacy Law UpdatedMore Detailed Breach Notification Required as of Jan. 1
The bill by Sen. Joe Simitian (D-Palo Alto) specifically establishes standards for data breach notifications, including a general description of the incident, the type of information breached, the time of the breach, and toll-free telephone numbers and addresses of the major credit reporting agencies in California.
The law goes into effect on Jan. 1, 2012.
On Sept. 29, 2010, then-Governor Arnold Schwarzenegger vetoed SB 1166, Sen. Simitian's previous effort to enact stronger data breach notification requirements [See California Eyes Stronger Privacy Law].
This new law updates AB 700, or SB 1386, adopted in 2003, which requires data holders to notify individuals when there is a breach of personal information. The landmark law - one of the first notification laws in the nation - didn't indicate what information needed to be included in the notification.
"Senate Bill 24 is the logical next step to ensure consumers have the specific information they need to protect themselves after a data breach," Simitian stated in a press release issued Aug. 31, 2011.
SB 24 also requires data holders to send an electronic copy of the notification to the Attorney General if a single breach affects more than 500 Californians. According to Simitian, these requirements will "give law enforcement the ability to see the big picture and better understand the patterns and practices of identity theft statewide."
Personal information, as defined in SB 24, includes: social security numbers, driver's license numbers or California identification card numbers, account numbers, credit or debit card numbers, in combination with any required security code, access code or password, medical information and health insurance information.
Philip Alexander, information security officer for Wells Fargo Bank and author of the book Data Breach Disclosure Laws - a State by State Perspective, sees the new law as being a "common-sense requirement."
"It puts some parameters if there is a breach, not only to consumers, but also to the state," he says.
While Alexander doesn't see the update law as making things tougher, from a resident's standpoint the bill provides them with helpful information, such as credit reporting agencies and how to contact them.
California Breach Notification RequirementsThe new law requires that agencies subject to a breach must provide more detailed information to breach victims, a tougher policy than what AB 700 currently requires. Agencies required to issue a security breach notification must meet the following requirements:
- Written in plain language;
- Should include the name and contact information of the agency breached;
- A list of the personal information reasonably believed to have been subject to the breach;
- The date of the breach, the estimated date of the breach or the date range within which the breach occurred;
- Whether the notification was delayed as a result of a law enforcement investigation;
- A general description of the breach incident;
- Toll-free telephone numbers and addresses of the major credit reporting agencies, if the breach exposed a social security number or a driver's license or California identification card number;
- Information about what the agency has done to protect individuals whose information was breached;
- Steps the person whose information has been breached may take to protect himself or herself;
- Submit to the attorney general a single sample copy of the security breach notification if the breach exceeds more than 500 California residents.