California Amendment Mandates A.G. Notification for Major Data Breaches
California has amended its security breach notification law to expand the notification requirements for security breaches relating to consumer personal information. Senate Bill 24, which amends California Civil Code sections 1798.29 and 1798.82, which takes effect January 1, 2012, also require businesses that suffer a data breach affecting more than 500 California residents to provide notice to the California Attorney General's office.
Senate Bill 24 applies to any agency, person, or business that owns or licenses computerized data that includes personal information, as defined under the statute, and that experiences a data breach of that information. The law requires that security breach notification to affected consumers must include at least the following:
1. Plain language;
2. The name and contact information of the reporting agency;
3. A list of the types of personal information that were or reasonably believed to have been the subject of the breach;
4. The date, estimated date, or date range of the breach, to the extent possible to determine;
5. The date of the notification;
6. Whether a law enforcement agency investigation delayed notification of the breach;
7. A general description of the breach;
8. The toll-free telephone numbers and addresses of major credit reporting agencies, if the breach involved a social security number or a driver's license number or a California Identification Card number.
At the discretion of the entity issuing the notice, the notification may also include the following:
1. Information regarding what the agency, person, or business has done to protect the personal information that was breached;
2. Additional steps that consumers may take to protect themselves.
For breaches affecting more than 500 California residents, the agency, person or business must also send a sample copy to the California Attorney General’s office.
For more information on compliance and detailed summary of California’s new data breach requirements, please read our alert.