On September 27, 2013, California Governor Jerry Brown signed into law an amendment to California’s breach notification law (Cal. Civ. Code § 1798.82). Effective January 1, 2014, under the amended law, the definition of “Personal Information” will be expanded to include “a user name or email address, in combination with a password or security question and answer that would permit access to an online account.” Additionally, new notification options have been added to address a breach of this type of information.
As amended, if there is a breach involving only this type of information and not the other types of information covered under the pre-amendment definition of “Personal Information,” the entity in question may provide notice to the affected person in electronic or other form. This notice must direct that person to change his or her password and security question or answer, as applicable, or to take other appropriate steps to protect the online account in question and all other accounts for which that person uses the same credentials.
Under the amended law, if the credentials breached are for a person’s email account furnished by the entity that suffered the breach, the entity in question may not provide notice to the compromised email account, but may use one of the other notification methods allowed by the law, or may comply by providing clear and conspicuous notice to that person when he is connected to the compromised online account from an IP address or online location from which the entity knows that person customarily accesses the online account in question.
It should be noted that the foregoing notification methods are options – an entity that breaches its requirements under California’s data security laws may still provide notice under the law’s original notification provision.