On August 31, 2011, California amended its consumer data breach notification statute (Cal. Civ. Code §§ 1798.29 & 1798.82) to require that an entity, following a breach of its electronic data, provide certain information in its notice to affected consumers. Under the current law, entities subject to a data breach must provide written or electronic notice of the breach to affected consumers; however, the law does not require that the notice include specific information. Senate Bill 24, which goes into effect on January 1, 2012, requires that any agency, person, or business provide consumers with a plain-language notice that includes:
- The entity’s name and contact information;
- A general description of the breach, and the type of personal information that was subject to the breach;
- The date of the breach or, if this information is unknown, an approximation of when the breach occurred;
- Whether notification of the breach was delayed as a result of a law enforcement investigation; and
- Contact information for the major credit reporting agencies.
Under the amended law, an entity that is the subject of a data breach affecting more than 500 California consumers also must forward an electronic copy of the consumer notification to the California Attorney General. Moreover, the revised law advocates, but does not require, that an entity provide (1) information on the efforts it has taken to protect affected consumers; and (2) recommendations on how consumers can protect themselves.
Notably, these changes to California’s data breach notification statute follow a recent flurry of proposed federal legislation—including H.R. 1707, H.R. 1841, H.R. 2577, S. 1151, S. 1207, and S.1408—calling for a nationwide data breach notification requirement.