In 2002, California became the first state in the nation to enact a data security breach notification law. The law requires any person or business that owns or licenses computerized data that includes Californians’ personal information to
“disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay.” California Civil Code s. 1798.29(a).
“Personal information” means an individual’s first name or
first initial and his or her last name in combination with any one or
more of the following:
(A) Social security number.
(B) Driver’s license number or California identification card
number.
(C) Account number, credit or debit card number, in combination
with any required security code, access code, or password that would
permit access to an individual’s financial account.
(D) Medical information.
(2) “Medical information” means any individually identifiable
information, in electronic or physical form, regarding the individual’
s medical history or medical treatment or diagnosis by a health care
professional.
On October 6, 2015, California Governor Jerry Brown signed into law a bill that provides a model form for security breach notifications. The law will take effect on January 1, 2016. The law requires security breach notifications to include relevant information under the following headings:
“Notice of Data Breach”
“What Happened”
“What Information Was Involved”
“What We Are Doing”
“What You Can Do”
“Other Important Information”
“For More Information”
Any person or business suffering a security breach situation that requires the issuance of a security breach notification to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. ((California Civil Code s. 1798.29(e)and California Civ. Code s. 1798.82(f)).