On Wednesday, August 31, 2011, California became the third state this year to amend its existing security breach notification law when Governor Jerry Brown signed into law Senate Bill 24 (“SB 24”). Interestingly, the bill also marks the third time (in three years) that a bill attempting to beef up the state’s breach notice law has landed on the Governor’s desk. Former Governor Arnold Schwarzenegger vetoed the previous two. SB 24’s specific changes, while far from sweeping, include the addition of content requirements for notice letters to individuals and a requirement to send a sample letter to the state’s attorney general if more than 500 people are affected by a breach.
Like HB 3025 enacted in Illinois (see our post here), SB 24 won’t add much to most nationwide breach response plans. The amendments will, however, up the ante for those doing business primarily (or exclusively) in California. As of January 1, 2012, breach notifications to California residents must be written in “plain English” and include at least the following elements:
- The date of the notice
- The name and contact information of the person reporting a breach
- A list of the types of personal information likely impacted
- If the breach exposed a social security number or a driver’s license or California identification card number, the toll-free telephone numbers and addresses of the major credit reporting agencies
In addition, the notice must include the following information if such information is possible to determine before sending the notice:
- The date, estimated date, or date range of the breach
- Whether notification was delayed as a result of a law enforcement investigation
- A general description of the breach incident
Finally, notices may include, at the discretion of the person reporting a breach, any of the following:
- Information about what the person or business has done to protect individuals whose information has been breached
- Advice on steps that the person whose information has been breached may take to protect himself or herself
SB 24 requires any person who notifies more than 500 California residents as a result of a single breach to “electronically submit a single sample copy of [the applicable] security breach notification, excluding any personally identifiable information, to the Attorney General.” Oh yeah, and section 2(e) of SB 24 also specifically provides that a HIPAA-covered entity will be deemed to have complied with the state’s notice requirements if it has complied completely with Section 13402(f) of the federal HITECH Act. For more on that law, see our blog post here.
If you’re thinking, “obviously we’re going to write the notice in ‘plain English’ and date it,” we’re with you. Like we said, SB 24 probably won’t add much to your nationwide breach response plans. But even if the requirements seem a bit odd, you still have to comply with them! Forewarned is forearmed.