California has expanded its data breach notification requirements by adding certain online account information to the definition of "personal information" used to determine whether notification is required under state law. As a result, a number of online service providers may, for the first time, be subject to California's notification requirements.

Previously, California's notification requirements were triggered when the information accessed during a data breach included an individual's name, in combination with the individual's (1) Social Security number, (2) driver's license or California ID number, (3) account, credit or debit card number together with a security or access code, (4) medical information or (5) health information, where either piece of information was not encrypted. Senate Bill 46 and Assembly Bill 1149 amend the definition of "personal information" under California Civil Code Sections 1798.82 to include, in addition to the information listed above, a "user name or email ad-dress, in combination with a password or security question and answer that would permit access to an online account.

Originally published in The Daily Journal on January 21, 2014.