New additions to CA Data Breach Law


I’ll try to use this blog to sum up some of relevant results of California’s recent legislative session.  For today’s blog, which is also the inaugural post, the focus is on the expansion of California’s Data Breach Notification Law.

SB 46, which was signed by Governor Brown last week, expands the definition of personal information in California’s Data Breach Notification Law (Cal Civ Code 1798.29 and 1798.82). The law will require notice when a California resident’s username or email address is breached, or reasonably believed to have been breached, with its password or security question and answer that provides access to an online account.

There is a also a new method for how notice is to be provided for this new category of personal information:

1.  If no other personal information has been breached, notice can be provided in an electronic or other form to “direct the person whose personal information has been breached to promptly change his or her password and security question or answer, as applicable, or to take other steps appropriate to protect the online account with the agency and all other online accounts for which the person uses the same user name or email address and password or security question or answer.”

2.  If the breach involves login credentials of an email account, then the notice cannot be made to the email address but rather by other methods, including “by clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an Internet Protocol address or online location from which the agency knows the resident customarily accesses the account.”

Attorney General Harris released the office’s first report in 2012 on data breaches, with a few recommendations: 1. Encrypt personal information when moving or sending outside of the secure network 2. Review and tighten internal security controls 3. Make breach notices easier to read. 4.  Expand data breach law to include passwords. (Check)

Bottom line, if you own or license this new category of computerized unencrypted personal information, be prepared by year’s end, as SB 46 goes into effect January 1, 2014.

This blog is for general information and educational purposes, not to provide legal advice. If you need legal advice, please consult with a qualified attorney.