The second bill, SB 46, amends California's data breach notification law (Cal Civ. Code § 1798 et seq.), adding to the definition of "personal information" certain information that would permit access to an online account, and imposing additional disclosure requirements if a breach involves personal information that would permit access to an online account or email account. Specifically, the legislation adds to the definition of personal information "a user name or email address, in combination with a password or security question and answer that would permit access to an online account." A breach of this information, if unencrypted, of any California resident would trigger the state's data breach notification obligations.
In the case of disclosure of this type of personal information, however, a company will be permitted to notify affected California residents by alternative means. If the breach involves no other personal information, a company may notify the affected resident in electronic or other form that directs the resident to change his/her password and security question or answer, as applicable, or to take other steps appropriate to protect the affected online account and all other online accounts with the same user name or email address and password or security question and answer.
However, if the breach involves the login credentials of an email account furnished by the company, it cannot provide notification to that email address, but may provide notice by: (1) one of the methods currently permitted under the law for notification of a breach of unencrypted personal information (written notice, electronic notice, or, if certain conditions are met, substitute notice); or (2) by clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an IP address or online location from which the company knows the resident customarily accesses the account.