Earlier this week, California Governor Jerry Brown signed into law an amendment to California’s breach notice law (S.B. No. 24). Former Governor Arnold Schwarzenegger vetoed similar legislation in 2008, 2009, and 2010.
As Inside Privacy noted when the legislation first moved through the California Senate on April 14, the legislation will amend California’s existing security breach notification requirements by:
- Requiring businesses subject to California’s security breach notification law to send an electronic copy of a breach notification to the California Attorney General, if more than 500 Californians are affected by a single breach.
- Establishing standard content requirements for data breach notifications to California residents, including the type of information breached, the date of the breach, and a toll-free telephone number of major credit reporting agencies; and
- Clarifying that a covered entity under the Health Insurance Portability and Accountability Act of 1996 that complies with applicable breach notice requirements will be deemed to comply with the new content requirements for breach notifications in California.
The new law goes into effect January 1, 2012. It makes California one of more than a dozen states that require notice to state regulators in the event of a breach that triggers notification to individuals, with some variation among the states with respect to the threshold of affected individuals that triggers notice to the regulator.
The bill’s author, California Senator Joe Simitian (D-Palo Alto), was the original sponsor of California’s landmark data breach notification law, first enacted in 2003. California’s breach notice bill has been amended on prior occasions, including a 2007 amendment that added health information to the type of data that may trigger a notification obligation.