Compliance Bulletin

State Bolsters Data Breach Notification Law
September 20, 2011

The state’s data breach notification law, codified at Section 1798.82 (and 1798.29 for government entities) was modified by SB 24 primarily to specify the contents of the mandatory notice.

 Under existing law, any California entity that owns or licenses computerized data that include certain sensitive personal information must give notice of any breach, but the law did not specify the contents of the notice. The new law changes that, but the content requirements essentially make the statute consistent with some of the best practices that have developed in California.

SB 24 specifically requires that the notification be written in “plain language” and contain the following:

  • Name and contact information of the entity reporting the breach.
  • A list of the types of personal information compromised.
  • As available, the date of the breach (or an estimated date or range of possible dates) and the date of the notification.
  • If possible to determine, whether notification was delayed as a result of a law enforcement investigation.
  • If possible to determine, a general description of the breach incident.
  • The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a social security number, a driver’s license, or California identification card number.

The entity may, at its discretion, also disclose what it has done to help protect affected individuals and what steps they might take to protect themselves [1].

If a notification arising from a single breach is required to be given to more than 500 California residents, the entity must also electronically submit a single sample copy (without personally identifiable information) to the Attorney General.

Also, under the existing statute a substitute notice is allowed if the cost of notification would exceed $250,000, more than 500,000 persons are affected, or there is insufficient contact information for the affected persons. The substitute notice consists of sending the required notification by electronic mail (if addresses are available); posting a notice on the entity’s Web site (if it has one), and notification to major statewide media. SB 24 adds a requirement to send the notification to the Office of Privacy Protection. Click here for a link to SB 24. The bill is effective as of January 1, 2012.

Alex Alanis was the lead lobbyist for CBA on this bill.

  1. An entity that is subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPPA codified at 42 U.S.C. Sec. 1320d et seq.) will be deemed to have complied with this notice requirement if it has complied completely with Section 13402(f) of the federal Health Information Technology for Economic and Clinical Health Act (Public Law 111-5). This allowance applies only to the notice requirement in subsection 1798.29(d) and 1798.82(d) and not to any other provision of these sections, as applicable.

The information contained in this CBA Regulatory Compliance Bulletin is not intended to constitute, and should not be received as, legal advice. Please consult with your counsel for more detailed information applicable to your institution.

© This CBA Regulatory Compliance Bulletin is copyrighted by the California Bankers Association, and may not be reproduced or distributed without the prior written consent of CBA.