Supported by California Attorney General Kamala Harris, California Senate Bill 46 expands the definition of personal information to include user name or email address, together with a password or security question and answer that would permit access to an online account (“New Personal Information”) and provides for methods of breach notification therefor under California’s breach notification law effective January 1, 2014. See Cal. S.B. 46. As a result, online account information needs to be considered in breach notification preparation and response, including policies and practices.

The definition of personal information under California’s breach notification law continues to include an individual's first name or first initial and last name, together with one or more of the following data elements, when either the name or the data elements are not encrypted: (1) social security number, (2) driver's license number or California identification card number, (3) account number, credit or debit card number, together with any required security code, access code or password that would permit access to an individual's financial account, (4) medical information or (5) health insurance information (“Current Personal Information”).

A person or business may provide the breach notification for a breach that involves New Personal Information for an online account, but that does not involve Current Personal Information, in electronic or other form that directs the person whose New Personal Information has been breached to promptly change their password and security question or answer, as applicable, or to take other steps appropriate to protect the online account with the person or business and all other online accounts for which the person whose New Personal Information has been breached uses the same user name or email address and password or security question or answer.

A person or business must not provide breach notification for a breach involving New Personal Information for login credentials of an email account furnished by the person or business to that email address. Instead, the person or business may comply by providing notice by one of the following methods: (1) written notice, (2) electronic notice, if the notice provided is consistent with the electronic records and signatures provisions in 15 U.S.C. Section 7001 or (3) substitute notice, if the person or business demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the person or business does not have sufficient contact information. Substitute notice must consist of all of the following: (a) email notice when the person or business has an email address for the subject persons, (b) conspicuous posting of the notice on the Internet website page of the person of business if the person or business maintains one and (c) notification to major statewide media. Alternatively, the person or business may provide clear and conspicuous notice delivered to the California resident online when they are connected to the online account from an Internet Protocol address or online location from which the person or business knows the California resident customarily accesses the account.

Given the upcoming January 1, 2014 effective date for California Senate Bill 46, breach notification preparation and response, including policies and practices, should be reviewed. Finally, state breach notification and other laws and breach and incident practices relating to online account information should be monitored for developments.