As we’ve previously noted (here and here), California and Illinois recently enacted amendments to their data security breach notification laws.  The amendments took effect this week. 

California’s changes are the more notable.  For example, businesses that are required by California’s breach notice statute to notify more than 500 California residents now must also notify the state attorney general.  Although more than a dozen states have laws with similar regulator notice requirements, California’s is unique in that it requires the notice to be submitted electronically.  The California attorney general has created an online reporting form that seeks basic information about the incident and a sample copy of the notice letter that is provided to individuals. 

Also noteworthy is the fact that both laws now require that notices to individuals contain specific contents, including, for example, the contact information for major consumer credit reporting agencies.  California’s law requires that the individual notice be written in “plain language,” another unprecedented requirement in this area.