On September 4, 2013, California state legislators passed an amendment to the state’s breach notification law. The bill, SB 46, would expand notification requirements to include security incidents involving the compromise of personal information that would permit access to an online or email account. Pursuant to SB 46, the definition of “personal information” contained in Sections 1798.29 and 1798.82 of California’s Civil Code would be amended to include “a user name or email address, in combination with a password or security question and answer that would permit access to an online account.” Notably, the compromise of these data elements alone ̶ even when not in conjunction with an individual’s first name or first initial and last name ̶ would trigger a notification obligation under the amended law. In addition, the bill does not limit the data elements that constitute “personal information” to those that would permit access to an individual’s financial account.
The bill also would permit companies and state government agencies to notify affected individuals of incidents involving the compromise of online account credentials by providing notification in “electronic or other form” that directs the affected individuals to take steps to protect their online accounts, including by changing the passwords and security questions and answers on accounts for which they use the same log-in credentials. The bill prohibits the notifying company or agency from sending the notification to an email address that may have been compromised as a result of the incident.
Update: On September 27, 2013, California Governor Jerry Brown signed SB 46 into law. The amended law will become effective on January 1, 2014.