The California governor recently signed into law an amendment to the existing California data breach notification law. As amended, companies who are required to provide notice to individuals under California’s data breach notification law will also have to notify the California attorney general if more than 500 California residents are impacted. Under the revisions, companies that conduct substitute notice (in the event that there are more than 500,000 impacted individuals or the cost to notice would be more than $250,000) must also notify the California Office of Privacy Protection. This is in addition to making an announcement in major state-wide media outlets and posting a notice on the company website.
TIP: Companies should ensure that they have a breach notification plan in place that outlines who they need to notify and when. California joins a handful of states that requires notification in the event of a breach not only to impacted individuals and credit reporting agencies, but to state officials as well.