Last week, the California state Senate passed S.B. 46, a bill to expand the triggering data under the existing data security breach notification law. Currently, breach notification in California is triggered by the unauthorized acquisition of an individual’s first name or initial and last name in combination with one or more of the following data elements, when either the name or the data elements are unencrypted: social security number; driver’s license or state identification number; account, credit card or debit card number in combination with any required security or access codes; medical information; or health information. S.B. 46 adds to the list of data elements, password, user name or security question and answer for an account other than a financial account. Like the existing list of personal information, this additional information must be in combination with the first name or initial and last name of the individual and one of the elements must be unencrypted in order to trigger the reporting requirement.

The bill now makes its way to the state Assembly for review. It will also need the governor’s signature prior becoming law.