Under a bill signed into law on August 31, 2011, California will soon require businesses to provide consumers with more specific information in the event of personal data breaches. California’s original data breach notification laws, the first in the nation, did not specify the contents of the required notice. Since California’s original law was enacted, at least 45 other states have followed in requiring notice following a data breach incident, and a handful of those have set forth specific requirements for the content of the breach notice. Specifically, California amended its consumer data breach notification statute (Cal. Civ. Code §§ 1798.29 & 1798.82) to require that an entity, following a breach of its electronic data, provide certain information in its notice to affected consumers.
California Senate Bill 24 (See here), which goes into effect on January 1, 2012, requires that any agency, person, or business provide consumers with a plain-language notice that includes:
- The entity’s name and contact information;
- A general description of the breach, and the type of personal information that was subject to the breach;
- The date of the breach or, if this information is unknown, an approximation of when the breach occurred;
- Whether notification of the breach was delayed as a result of a law enforcement investigation; and
- The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a social security number or a driver’s license or California identification card number.
Moreover, the revised law advocates, but does not require, that an entity provide (1) information on the efforts it has taken to protect affected consumers; and (2) advice on steps that the person whose information was breached may take to protect himself or herself. In addition, importantly, California Senate Bill 24 requires data holders to send an electronic copy of the notification to the California Attorney General if a single breach affects more than 500 Californians.
California’s action comes on the heels of changes to Illinois’ breach notification law that was signed into effect on August 22, 2011. (See here.) Beginning on January 1, 2012, security breach notices to Illinois residents must include: (i) contact information for credit reporting agencies and the Federal Trade Commission; and (ii) a statement that the individual “can obtain information from these sources about fraud alerts and security freezes.”
With a patchwork of differing state laws defining what types of security breaches require notice and what those notices must include, prompt involvement by experienced counsel is crucial to avoid non-compliance. Further, companies should have data security and breach preparedness plans in place, and written plans and other requirements are mandated in some jurisdictions in many instances.