California S.B. 1386

 

This law, operative since July 1, 2003, would require a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.  The bill would permit the notifications required by its provisions to be delayed if a law enforcement agency determines that it would impede a criminal investigation.  The bill would require an agency, person, or business that maintains computerized data that includes personal information owned by another to notify the owner or licensee of the information of any breach of security of the data, as specified.

 

            This law:

          

·        Requires an agency, person, or business that conducts business in California and owns or licenses computerized data containing personal information to disclose any security breach to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

·        Requires disclosure to be made in the most expedient time frame possible consistent with the legitimate needs of law enforcement.

·        Defines "personal information" as an individual's first or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

   

(a) Social Security number;

(b) Driver's license number; or 

(c) California Identification Card; or an account, credit or debit card number in combination with any required security code or password that would permit access to the account.  The definition specifically excludes public information lawfully made available from government records.

 

·        Defines "notice" as being provided by one of three methods:  written notice; electronic notice consistent with federal law, or substitute notice.

·        Allows a substitute notice only upon demonstration that the cost of providing notice would exceed $250,000, or more than 500,000 people would be notified.  The substitute notice must consist of the following three actions:  email notice, posting notice on the notifier's web site, and notification of the major statewide media.

·        Permits an agency, person or business to comply with these provisions by utilizing their own notification procedures as part of an information security policy, as long as such procedures are otherwise consistent with the timing requirements of the law.

 Return to Home Page