This week California Governor Jerry Brown signed into law a new California data breach statute that strengthens notification requirements for residents of California. California currently has some of the most prolific and detailed consumer protection oriented laws impacting privacy and breach protection in the country. The current law requires that any entity that owns or licenses computerized data that contains personal information to notify affected individuals of any breach of the security of that data and whose unencrypted personal information was acquired, or reasonably believed to have been acquired, by an unauthorized person. Personal information includes the following unencrypted data elements: 1) social security number; 2) driver’s licenses or California identification number; 3) account number, credit debit card number in combination with security code, access code or password of an person’s financial account; and 4) medical information.
The new law details the specific notification requirements when such a breach occurs. The law states that notification shall:
• Be made in the most expedient time possible, but without unreasonable delay (subject to a law enforcement delay)
• In writing in plain language
• Name and contact information for the involved entity
• List of the types of personal information subject to the breach
• The date of the breach, if known
• If there was a law enforcement delay
• General description of the breach incident
• Toll-free numbers and addresses for the major credit reporting agencies, if social security, driver’s license or California identification number are involved
The law goes on to state that, at the discretion of the entity, the notification may also include information about the steps the entity has taken to protect the affected individuals and any advice on steps the individual may take to protect themselves.
The statute further requires that when more than 500 California residents are affected, the entity must also submit electronically a sample copy of the breach notification letter to the California Attorney General, so that law enforcement has a better sense of the big picture of breaches across the state. Health care providers and other HIPAA covered entities that provide breach notification under HITECH are deemed to have complied with the new California law so long as they have complied with HITECH notification requirements. This statute does not obviate the need to report certain healthcare breaches to the California Department of Public Health. The new law affects not just companies located in California but those that do business with residents of California. The new law goes into effect on January 1, 2012.