Calif. Law Beefs Up Breach NoticesLaw Requires Providing Specific Details to Individuals Affected
California Gov. Jerry Brown has signed into law Senate Bill 24. The bill, introduced by Sen. Joe Simitian, D-Palo Alto, establishes standards for the details to be included in data breach notifications, including a general description of the incident, the type of information breached and the time of the breach. It also requires, in certain circumstances, providing consumers with the toll-free telephone numbers and addresses of the major credit reporting agencies in California.
The law, which affects notification of breaches involving financial, healthcare and other personal information, goes into effect Jan. 1, 2012.
On Sept. 29, 2010, then-Governor Arnold Schwarzenegger vetoed SB 1166, Sen. Simitian's previous effort to enact stronger data breach notification requirements [See California Eyes Stronger Privacy Law].
This new law updates AB 700, or SB 1386, adopted in 2003, which requires organizations to notify individuals after a breach of personal information. The landmark law - one of the first state breach notification laws in the nation - didn't indicate what information needed to be included in the notification. But it required breaches to be reported to individuals affected "in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement ... or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system."
Another California law requires healthcare organizations to report breaches to the state within five days.
"Senate Bill 24 is the logical next step to ensure consumers have the specific information they need to protect themselves after a data breach," Simitian stated in a press release.
SB 24 also requires organizations that have experienced a breach to send an electronic copy of the notification to the state attorney general if a single breach affects more than 500 Californians. Simitian says this requirement will "give law enforcement the ability to see the big picture and better understand the patterns and practices of identity theft statewide."
Personal information, as defined in SB 24, includes: Social Security numbers; driver's license numbers or California identification card numbers; bank account numbers; credit or debit card numbers, in combination with any required security code; access code or password; medical information and health insurance information.
Philip Alexander, information security officer for Wells Fargo Bank and author of the book Data Breach Disclosure Laws - a State by State Perspective, sees the new law as being a "common-sense requirement."
While Alexander doesn't see the new law as making things tougher for organizations that have experienced a breach, he says it will help ensure that individuals affected by breaches receive helpful information, such as how to contact credit reporting agencies.
Breach Notification RequirementsThe new law requires organizations that experience a breach to provide more detailed information to breach victims. The law requires that breach notifications:
- Be written in plain language;
- Include the name and contact information of the agency breached;
- Provide a list of the personal information reasonably believed to have been subject to the breach;
- Spell out the date of the breach, the estimated date of the breach or the date range within which the breach occurred;
- Specify whether the notification was delayed as a result of a law enforcement investigation;
- Offer a general description of the breach incident;
- Provide toll-free telephone numbers and addresses of the major credit reporting agencies, if the breach exposed a Social Security number or a driver's license or California identification card number;
- Include information about what the organization has done to protect individuals whose information was breached; and
- Outline steps individuals may take to protect himself or herself.