On August 31, 2011, California Governor Jerry Brown signed into law amendments to that state’s security breach notification statute.  The revisions establish new content requirements for breach notification letters to California residents, and mandate notification to the state Attorney General when a breach affects more than 500 Californians.  Senate Bill 24 was the third effort by State Senator Joe Simitian to build on the landmark California breach notification law he authored in 2002.  The two previous bills he proposed were passed by the California legislature, but vetoed by former Governor Arnold Schwarzenegger.

Under the new law, notification to affected California residents will need to include, at a minimum:

  • The name and contact information of the reporting agency, person or business;
  • A list of the types of personal information that were or are reasonably believed to have been the subject of the breach;
  • The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a Social Security number or a driver’s license or California identification card number;

and, to the extent it is possible to determine at the time the notice is provided:

  • The date of the notice and any of the following: (1) the date of the breach, (2) the estimated date of the breach or (3) the date range within which the breach occurred;
  • Whether the notification was delayed because of a law enforcement investigation (if applicable); and
  • A general description of the breach incident.

The law provides that any agency, person or business also may include, at its discretion, information regarding what the entity has done to protect individuals whose information has been breached, and steps that the affected individual may take to protect himself or herself.

In addition, the law requires any agency, person or business that notifies more than 500 California residents to submit an electronic copy of its security breach notification (excluding any personally identifiable information) to the Attorney General.  Building on existing substitute notification requirements, the law also requires California businesses and persons invoking substitute notice to notify the Office of Privacy Protection within the State and Consumer Services Agency.  California agencies using substitute notice will be required to notify the Office of Information Security within the California Technology Agency.

Entities covered by and in compliance with HIPAA’s HITECH Act breach notification requirements will be deemed to have complied with the California law.

View the full text of the bill, which will take effect January 1, 2012.