California has amended its security breach notification law to expand the notification requirements for security breaches relating to consumer personal information. The changes, which take effect January 1, 2012, require businesses that suffer a data breach affecting more than 500 California residents to provide notice to the California Attorney General's office.
Senate Bill 24, which amends California Civil Code sections 1798.29 and 1798.82, is designed to enhance California's existing data breach notification requirements so that consumers have additional information to protect themselves against identity theft. The modified law also ensures that the state's top enforcement agency can review the circumstances and potentially take action against the business that experienced the security breach.
Under the revised law, when the security of consumer personal information is breached, the business that possessed the information must include in its notice to consumers:
- A list of the types of personal information that were the subject of the breach;
- The date of the breach;
- A general description of the breach; and
- Toll-free telephone numbers and addresses of the major credit reporting agencies.
If more than 500 California residents are affected as a result of a single breach, the business also must deliver a sample copy of the notice to the Office of the Attorney General.
Who must comply with Senate Bill 24?
Senate Bill 24 applies to any agency, person, or business that owns or licenses computerized data that includes personal information. In the event of a security breach to any California resident whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, that agency, person, or business must issue a security breach notification.
What is a "security breach"?
A security breach of personal information means an unauthorized acquisition of computerized data that affects the security, confidentiality or integrity of personal information.
What is "personal information"?
"Personal information" means an individual's first name or first initial and last name, together with any one or more of the following: social security number; driver's license number or California Identification Card number; account number, credit or debit card number, in conjunction with the applicable security access code or password; medical information (including an individual's medical history, mental or physical condition, or medical treatment or diagnosis administered by a health care professional); health insurance information (including an individual's health insurance policy number, a unique identifier used by a health insurer, or any information regarding an individual's application and claims history).
Personal information does not include information that is publicly available.
What must the security breach notification include?
The security breach notification must include at least the following:
- Plain language;
- The name and contact information of the reporting agency;
- A list of the types of personal information that were or reasonably believed to have been the subject of the breach;
- The date, estimated date, or date range of the breach, to the extent possible to determine;
- The date of the notification;
- Whether a law enforcement agency investigation delayed notification of the breach;
- A general description of the breach;
- The toll-free telephone numbers and addresses of major credit reporting agencies, if the breach involved a social security number or a driver's license number or a California Identification Card number.
At the discretion of the agency, person, or business, the notification may also include the following:
- Information regarding what the agency, person, or business has done to protect the personal information that was breached;
- Additional steps that consumers may take to protect themselves.
Notice to consumers must be in written or electronic form and must be made without unreasonably delay, unless a law enforcement agency determines that notification will impede a criminal investigation.
Substituted notice is allowed when it is demonstrated that the cost of providing notice would be greater than $250,000, that more than 500,000 persons require notice, or if the agency, person, or business does not have sufficient contact information. In that case, the amended statute provides that notice shall be given by all of the following methods: e-mail; posting on an Internet site; notification to major statewide media; and, for agencies, notification to California's Office of Information Security, and for businesses, notification to California's Office of Privacy Protection.
Businesses that comply with HIPAA's security breach notification requirements will be deemed to be in compliance with California's law.
This client alert is a publication of Loeb & Loeb LLP and is intended to provide information on recent legal developments. This client alert does not create or continue an attorney client relationship nor should it be construed as legal advice or an opinion on specific situations.
Circular 230 Disclosure: To assure compliance with Treasury Department rules governing tax practice, we inform you that any advice (including in any attachment) (1) was not written and is not intended to be used, and cannot be used, for the purpose of avoiding any federal tax penalty that may be imposed on the taxpayer, and (2) may not be used in connection with promoting, marketing or recommending to another person any transaction or matter addressed herein.