Although we have an old cliché that says, “third time is the charm,” in the case of changing California’s breach notification law, State Senator Joe Simitian required four attempts to see the passage of his bill amending the law. On August 31, 2011, Governor Jerry Brown signed Senate Bill No. 24, a bill to enhance California’s breach notification law, S.B. 1386 from 2003. Former Governor Arnold Schwarzenegger vetoed Senator Simitian’s previous three attempts based in part on a reluctance to mandate more paperwork. With the change of administration and Jerry Brown’s new term as Governor, Senator Simitian’s bill found a more sympathetic reception. For a copy of SB 24, click here.
SB 24 makes three important changes to California’s breach notification law. First, SB 24 imposes requirements regarding the content of breach notification communications. At the outset, breach notifications must now appear in “plain language.” SB then requires that breach notifications contain, at a minimum:
- The name and contact information of the reporting business or agency.
- The types of information compromised.
- The date (or estimated date(s)) of the breach.
- Whether the reporting organization delayed notification because of a law enforcement investigation.
- A general description of the incident leading to the breach.
- If the breach compromised social security numbers or driver’s licenses/ID cards, the toll-free number and addresses of the major credit reporting agencies.
Second, SB 24 says that if an organization must notify more than 500 California residents of the breach, the organization must provide a sample copy of the notification electronically to the Attorney General’s office. Before SB 24, a number of other states have imposed attorney general notification requirements. California now joins their ranks.
Third, SB 24 says that entities covered by the Health Insurance Portability and Accountability Act (HIPAA) will be deemed to have complied with California’ breach notification law if they “complied completely” with the breach notification requirements in the HITECH Act. This provision avoids inconsistency between California law and the HITECH Act for HIPAA-covered entities and reduces their compliance burden following a breach. Nonetheless, this provision of California’s breach notification law means that a HITECH Act notification is deemed to satisfy the content requirements of the California law, but no other requirements. For instance, HIPAA-covered entities are not exempt from the requirement to notify the Attorney General of California if more than 500 California residents must be notified.
SB 24 does not make radical changes to California’s breach notification law. Nonetheless, the bill is intended to help consumers understand breach notifications better, engage the Attorney General’s office, and harmonize state breach notification laws with the HITECH Act. Although SB 24 is intended to provide more post-breach protections for consumers, it remains to be seen whether California takes further steps to increase requirements for protecting data prior to a breach, such as the manner in which Massachusetts established data protection requirements.
Stephen Wu
Partner, Cooke Kobrick & Wu LLP