A new amendment to California’s security breach notification law will raise the stakes for businesses required to give notice of a data security breach affecting California residents. California Senate Bill 24 (“SB 24”), signed by Governor Brown on August 31, 2011, imposes detailed new requirements for the content of security breach notices. Significantly, SB 24 also requires notice to the California Attorney General for larger-scale security breaches.
California’s security breach notification law was the first of its kind to be approved by a state legislature (Cal. Civ. Code § 1798.82.). It requires a person or entity conducting business in California to notify California residents whose unencrypted personally identifying information (PII) was known to have been or is reasonably believed to have been acquired by an unauthorized person through a security breach (Cal. Civ. Code § 1798.82(a)). Notice may be provided in written form, electronic form, or through substitute notice (Cal. Civ. Code § 1798.82(j)). SB 24 expands both the requirements regarding content of these notices and the scope of necessary recipients.
SB 24’s provisions will become effective on January 1, 2012.
Informational Requirements for Notices: SB 24 requires that security breach notices “be written in plain language” and contain, at a minimum, the following information (Cal. Civ. Code § 1798.82(d)(1), (2)):
- The name and contact information of the person or business reporting the breach;
- A list of the categories of PII that were, or are reasonably believed to have been, affected by the breach;
- The actual or estimated date or range of dates of the breach, along with the date on which notice was given;
- An indication of whether the notice was delayed as a result of a law enforcement investigation;
- A general description of the nature of the breach if such information can be determined at the time notice is given; and
- If the breach exposed a Social Security number, driver’s license number, or California identification card number, the toll-free telephone numbers and addresses of the major credit reporting agencies.
The person or entity reporting the breach may elect to provide the following additional categories of information (Cal. Civ. Code § 1798.82(d)(3); Cal. Civ. Code § 1798.29(d)(3)):
- Information about what the person or business has done to protect individuals whose information has been breached; and
- Advice on what steps the individual recipient of the notice may take to protect himself or herself.
Notification of California Attorney General: Under SB 24, any person or entity required to notify more than 500 California residents of a single security breach also must notify the state Attorney General (Cal. Civ. Code § 1798.82(f); Cal. Civ. Code § 1798.29(e)).
Additionally, SB 24 makes minor changes to the statute’s substitute notice provisions. A person or business invoking substitute notice will be required to notify the state Office of Privacy Protection (Cal. Civ. Code § 1798.82(j)(3)(C)).
HITECH Act Exemption: SB 24 provides that an entity covered by the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) that has complied with the breach notification provisions of the federal Health Information Technology for Economic and Clinical Health (“HITECH”) Act will be deemed to have complied with the new content requirements for security breach notices under California’s security breach notification law as well (Cal. Civ. Code § 1798.82(e)).
Currently, 45 other states, as well as the District of Columbia, Puerto Rico, and the U.S. Virgin Islands, also have enacted security breach notification laws. Although these state security breach notification laws are understood to be modeled upon the California law, many states have developed more detailed notification requirements. With the passage of SB 24, California joins at least 17 states and U.S. territories in (1) regulating the specific content of security breach notices to include certain types of information for consumers in states including Hawaii, Illinois, Iowa, Maryland, Massachusetts, Michigan, Missouri, New Hampshire, New York, North Carolina, Oregon, Vermont, Virginia, West Virginia, Wisconsin, and Wyoming, and (2) requiring an entity that suffers a security breach to notify a state regulator, such as the Attorney General, in addition to the affected individuals in states including Alaska, Hawaii, Idaho, Indiana, Louisiana, Maine, Maryland, Massachusetts, Missouri, New Hampshire, New Jersey, New York, North Carolina, South Carolina, Vermont, and Virginia.