On August 31, 2011, Govern Jerry Brown strengthened California’s Computerized Data Security Breach laws by signing into law Senate Bill 24 (Simitian). SB 24 was enacted in response to recent data revealing that over 500 million sensitive records have been breached since 2005 and that individuals receiving notice of the breach do not understand the consequences of these security breaches. SB 24 sets forth detailed steps for notification and lists the exact information that must be provided to California residents affected by the security breach.
SB 24 applies to any person or entity conducting business in California that owns or licenses computerized data that includes personal information. If any personal information was, or is reasonably believed to be, taken by unauthorized means, California residents must be immediately advised of the security breach with a detailed notice. The new law also requires that the California Attorney General be notified of any security breach that affects more than 500 residents.
The notice to California residents must “be written in plain language” and contain, at least, the following information:
• The date of the notice and the name and contact information of the person or business whose computerized data was breached.
• A list of the types of personal information that was breached.
• To the extent known, the actual or estimated date or date range of the breach.
• A general description of the breach incident.
• If the breach exposed a Social Security number, driver’s license number, or California identification card number, the toll-free telephone numbers and addresses of the major credit reporting agencies.
Although not required, a noticing person or business may include information about what the person or business has done to protect individuals whose information has been breached and advice on steps that the person whose information has been breached may take to protect himself or herself.
Substitute notice can be used in limited circumstances. Substitute notice can only be used if the cost to provide the required notice exceeds “two hundred fifty thousand dollars ($250,000), or that the affected class of subject persons to be notified exceeds 500,000, or the person or business does not have sufficient contact information.” Substitute notice must be sent via e-mail, posted in a conspicuous place on the website, and by provided the Office of Privacy Protection.
Entities covered by HIPAA are excluded from the requirements of the new law so long as the entities have complied with the breach notification provisions of the federal HITECH Act.
SB 24 will become effective January 1, 2012. Individuals and business subject to the new law are advised to review their current notice letter and make revisions necessary to ensure that the information provided in their notice letters complies with the new law.