S.B. 570 creates format requirements for notices sent to California residents to better “call attention to the nature and significance of the information” in the notices. The notice must be in plain language with at least size ten font and entitled “Notice of Data Breach.” The notice must contain five headings: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.” S.B. 570 contains a notification template designed to satisfy the new requirements.
These format requirements further differentiate California notifications from other states and may increase the time and expense to notify California residents. In some circumstances, the notification to California residents may even conflict with notification requirements of other states. For example, Massachusetts does not permit a company to notify its residents about the nature of the breach or unauthorized acquisition, so a company may need to draft a separate notice for California residents when a data breach impacts multiple states.
California permits “substitute notice” when a company must notify more than 500,000 residents or the cost to notify would be more than $250,000. The new law clarifies how the company can provide substitute notice, which includes emailing the resident, posting a link to the notice on its website for at least 30 days, and notifying major statewide media and the Office of Information Security within the California Department of Technology. Alternatively, if the breach only involves the unauthorized acquisition of the username or email address for an online account in combination with the password or security question/answer—and no other personal information is compromised—then a company may notify the resident electronically and direct the resident to change his or her password and security question/answer.