California Amends its Security Breach Notification Law

On August 31, 2011, Governor Jerry Brown signed Senate Bill 24, amending California’s security breach notification law. That law was the nation’s first to require data owners to disclose a data breach to any California resident whose unencrypted personal information is reasonably believed to have been acquired by an unauthorized person. Senate Bill 24 applies to breaches occurring on or after January 1, 2012, and makes several important changes to the landmark law.

First, SB 24 enhances the security breach notifications sent to affected individuals. Whereas before the notice law did not impose any requirements for the content of the notice, the amended law requires that the notice contain specific information regarding the breach, including the following: (a) the name and contact information of the reporting person or business; (b) the types of personal information subject to the breach; (c) the date or date range of the breach; (d) whether notification was delayed due to law enforcement investigation; (e) a general description of the breach; and (f) the toll-free telephone numbers and addresses of the three major credit bureaus, if the breach exposed a social security number, driver’s license or California identification card number.

Second, SB 24 adds a requirement to notify the state’s attorney general about a breach. More specifically, the notice law now requires any agency, person, or business that sends a security breach notice to more than 500 California residents to electronically submit a single sample copy of that security breach notification to the attorney general, excluding any personally identifiable information. This change adds California to the list of states that require some type of notice to the state’s primary regulator of security breaches.

Third, this bill deems any HIPAA-covered entity to have complied with California’s new notification requirements if the covered entity complied with the similar breach notification requirements in Section 13402(f) of the federal Health Information Technology for Economic and Clinical Health Act (“HITECH Act”). However, the covered entity is not exempt from any other provision of California’s notice law.

Finally, SB 24 also amends Section 1798.82(j) of California’s security breach notification law regarding substitute notice. Reporting entities which seek to notify individuals of a security breach through the state’s media, rather than directly, must now also notify the Office of Privacy Protection within the State and Consumer Services Agency.

In light of these changes, employers will need to update their incident management plans and add these new requirements into their notification policies to ensure compliance with the many state data breach notification requirements.

California SB 24 takes effect January 1, 2012, providing enhanced notification requirements similar to those required under the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Hard copy breaches are still not covered under the California law.

Photo credit: dra_schwartz

Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.