California state Senator Joe Simitian (D-Palo Alto) certainly can be credited with persistence when it comes to expanding California’s data breach notification law, and with Jerry Brown replacing Arnold Schwarzenegger as governor, the fourth time may be the charm.  On April 14, 2011, the California State Senate voted to approve Senate Bill 24, which now moves to the State Assembly for consideration.

The new legislation would amend California’s existing security breach notification requirements by:

  • Establishing standard content requirements for data breach notifications to California residents, including the type of information breached, the time of breach, and a toll-free telephone number of major credit reporting agencies; and
  • Requiring public agencies, business, and individuals subject to California’s security breach notification law to send an electronic copy of the breach notification to the California Attorney General, if more than 500 Californians are affected by a single breach.

Under the proposed bill, an entity covered by and in compliance with the federal Health Insurance Portability and Accountability Act (“HIPAA”) would be deemed to have complied with the California law.  There is, however, no comparable safe harbor built into the proposed law for compliance with Gramm-Leach-Bliley.

Simitian has tried three times already to amend California’s data breach notification law, and, despite approval by the California Legislature in 2008, 2009, and 2010, the measure was vetoed each year by then-Governor Schwarzenegger.  Simitian also was the original sponsor of California’s landmark data breach notification law, enacted in 2003, which served as a model for many of the breach notice statutes subsequently adopted in 45 other states (as well as the District of Columbia and Puerto Rico).