This week, California Governor Jerry Brown signed into law a new data breach statute that strengthens notification requirements for residents of California. California currently has some of the most prolific and detailed consumer protection-oriented laws impacting privacy and breach protection in the country. The current law requires any entity that owns or licenses computerized data containing personal information to notify affected individuals of any breach of the security of that data and whose unencrypted personal information was acquired, or reasonably believed to have been acquired, by an unauthorized person. Personal information includes the following unencrypted data elements: (1) social security number; (2) driver’s license or California identification number; (3) account number, credit/debit card number in combination with security code, access code or password of a person’s financial account; and (4) medical information.

The new law details the specific notification requirements when such a breach occurs. The law states that notification shall:

  • Be made in the most expedient time possible, but without unreasonable delay (subject to a law enforcement delay);
  • Be in writing in plain language;
  • Include the name and contact information for the involved entity;
  • List the types of personal information subject to the breach;
  • State the date of the breach, if known;
  • State whether there was a law enforcement delay;
  • Generally describe the breach incident; and
  • Provide toll-free numbers and addresses for the major credit reporting agencies if social security, driver’s license or California identification numbers are involved.

The law goes on to state that, at the discretion of the entity, the notification also may include information about the steps the entity has taken to protect the affected individuals and any advice on steps individuals may take to protect themselves.

The statute further requires that when more than 500 California residents are affected, the entity also must submit electronically a sample copy of the breach notification letter to the California Attorney General, so that law enforcement has a better sense of the big picture of breaches across the state. Healthcare providers and other HIPAA-covered entities that provide breach notification under the HITECH Act are deemed to have complied with the new California law so long as they have complied with the HITECH Act notification requirements. This statute does not obviate the need to report certain healthcare breaches to the California Department of Public Health. The new law affects not just companies located in California, but those that do business with residents of California. The new law goes into effect on January 1, 2012.