California Enhances Data Breach Notification Requirements

This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.

Under new legislation that will take effect next year, persons and entities doing business in California will be required to make additional disclosures in the event that the security of their computerized data systems are breached.

Existing law requires companies doing business in California to disclose data breaches involving the personal information of California residents.

The recent legislation (Senate Bill 24, Chapter 197) amended California Civil Code Sec. 1798.82, adding several specific requirements as to the form and substance of breach notifications. As amended, the statute requires breach notifications to be in plain language.

At a minimum, notifications must contain the following:

• The name and contact information of the notifying person or business.

• The types of personal information that were the subject of the breach.

• The date or estimated date of the breach.

• Whether notification was delayed as a result of a law enforcement investigation.

• A general description of the breach incident.

• The toll-free telephone numbers and addresses of the major credit reporting agencies, if the breach exposed California residents’ Social Security, driver's license, or identification card numbers.

At the discretion of the notifying company, the security breach notification may also include any of the following:

• Information about what the notifying company has done to protect individuals whose information has been breached.

• Advice on steps that persons whose information has been breached may take to protect themselves.

In addition, if notification is made to more than 500 California residents as a result of a single breach of the security system, the notifying company must electronically submit a single sample copy of the notification, excluding any personally identifiable information, to the California Attorney General.

The legislation was signed by Governor Jerry Brown on August 31, 2011, and will take effect on January 1, 2012. Similar bills were vetoed by former Governor Arnold Schwarzenegger in 2009 and 2010.

The current version of the law appears at CCH Privacy Law in Marketing ¶30,500.