A new amendment to California’s security breach notification law will raise the stakes for businesses required to give notice of a data security breach affecting California residents. California Senate Bill 24 (“SB 24”), signed by Governor Brown on August 31, 2011, imposes detailed new requirements for the content of security breach notices. Significantly, SB 24 also requires notice to the California Attorney General for larger-scale security breaches.

California’s security breach notification law was the first of its kind to be approved by a state legislature. It requires a person or entity conducting business in California to notify California residents whose unencrypted “personal information” was (or is reasonably believed to have been) acquired by an unauthorized person through a security breach. Notice may be provided in written form, electronic form, or through “substitute notice.”3 SB 24 expands both the requirements regarding content of these notices and the scope of necessary recipients.

SB 24’s provisions will become effective on January 1, 2012.