Beginning January 1, 2012, any business that is required, under California's security breach notification law, to provide notice to individuals must include in the notice a list of the types of personal information that were the subject of the breach, the date of the breach, a general description of the breach, and toll-free telephone numbers and addresses of the major credit reporting agencies.  The amended law also requires businesses that are required to provide notice to more than 500 California residents as the result of a single breach to provide a sample copy of the notice to the Office of the Attorney General.  The provision concerning substitute notice (which applies when a business demonstrates that the cost of providing notice would exceed $250,000 or that the affected class exceeds 500,000 individuals or when the business does not have sufficient contact information) has been amended to require, among other things, notice to California's Office of Privacy Protection.  Businesses that are in compliance with HIPAA's security breach notification requirements will be deemed to be in compliance with California's law.  A copy of Senate Bill 24 is available here