New Law: California Imposes Additional Information Security Requirements on California Businesses
The bill text documents for SB 24 can be found here: http://www.leginfo.ca.gov/cgi-bin/postquery?bill_number=sb_24&sess=CUR&house=S&author=simitian
On August 31, 2011, Governor Jerry Brown signed into law Senate Bill 24, an amendment to California’s breach notification law, requiring all California business and governmental agencies to notify the California Attorney General of the breach and imposes additional requirements on firms that do business with California residents.
California’s existing security breach notification law, the first one to be adopted in the United States, obligates businesses and agencies to notify affected individuals if their computerized records are compromised and the unencrypted personal information of a California resident was, or is reasonably believed to have been, acquired by an unauthorized person. Since the adoption of California’s breach notification law in 2002, 45 states, the District of Columbia, Puerto Rico and the Virgin Islands have adopted statutes requiring breach notification. While most of these laws follow California’s format, there are wide variations which make it challenging to comply when, as is often the case, individuals in a number of jurisdictions are affected.
SB 24 is, in part, a reaction to development in a number of states that, unlike California’s original statute, require more detailed requirements for security breach notifications and specify certain information which must be included in the notice. Many of these states also require the entity that suffers a security breach to notify a state regulator, as well as the affected individuals. The sponsors of SB 24 saw these two factors – the inclusion of specific, required information in a breach notification and reporting breaches to state law enforcement – as significant benefits.
As adopted, SB 24 changes existing California law by requiring that security breach notifications be written in plain language and contain certain information, such as contact information regarding the breach, the types of information breached, and, if possible to determine, the date, estimated date, or date range of the breach, as well as other information the notifying company deems appropriate. SB 24 also requires that, any agency, person, or business that must provide a security breach notification under existing law to more than 500 California residents as a result of a single breach submit the notification electronically to the California Attorney General.
Jeffer Mangels Butler & Mitchell LLP has counseled numerous companies on a variety of information security matters, including breach notification, breach prevention, and regulatory compliance issues. For information on what you can do to limit potential damage from a security breach, contact Robert Braun at (310) 785-5331 or firstname.lastname@example.org.
Robert Braun is a partner at Jeffer Mangels Butler & Mitchell LLP. His practice includes a focus on information technology and security.