The California State Senate approved Senate Bill 1166 on April 15, 2010. The bill amends sections 1798.29 and 1798.82 of the California Civil Code, which require state agencies and businesses to notify California residents of a data breach, by adding specific content requirements for such notices.
The bill requires notification to affected individuals to be written in plain language and include, at a minimum, the following information:
- Name and contact information of the reporting person or business;
- A list of types of personal information that were or are reasonably believed to have been the subject of a breach;
- If the information is possible to determine at the time the notice is provided, any of the following: (i) date of the breach; (ii) estimated date of the breach; or (iii) the date range within which the breach occurred;
- Whether notification was delayed due to law enforcement investigation;
- A general description of the breach incident, if this information is available at the time of notice; and
- Toll-free telephone numbers and addresses of major credit reporting agencies if breach exposed Social Security numbers or a driver’s license or California identification card number.
At the discretion of the agency or business, the following information may also be included in the notices to affected individuals:
- Information about what has been done to protect affected individuals; and
- Advice on steps affected individuals may take to protect themselves.
The amendment would also require agencies and businesses to electronically submit a sample copy of the notification to affected individuals to the California Attorney General if the breach affected more than 500 individuals.
The bill now moves to the California State Assembly for consideration. We will provide an update on any new developments.