California’s prior data breach law was the first in the nation and turned out to be a model that other states used for their own data breach laws. Whether the new law will have that same effect remains to be seen but, just in case, here is the 30,000 feet view of what it does:
A copy of the new statute, SB 24, essentially does the following:
- Applies to anyone in California that owns or licenses computer data containing non-public personal information (last name + first name or initial + SS#, DL#, ID#, acct, debit, access #s, medical info, or health ins info)
- Applies upon discovery or notification of a data breach of “unencrypted personal information”
- Requires notice (written/electronic/posting) in the most expedient time possible and without unreasonable delay
- Requires that data breach notifications specifically contain
- general description of the incident
- type of information breached
- time of the breach, and
- toll-free telephone numbers and addresses of the major credit reporting agencies in California
- whether notification was delayed because of law enforcement
- Requires data holders to send a copy of the notice to the Attorney General if the breach affects more than 500 people in California
- (and a few more pages of details I didn’t cover)
Most of this information was taken from a nice article was written by Tanya Forsheit of InfoLawGroup entitled California Amends Data Breach Law – For Real This Time. Go check it out, this could be a model for things to come!
