Effective January 1, 2014, California residents must be notified when the information used to access their email or other online accounts is compromised in a data security breach incident.
Last month, California Governor Brown signed into law SB-46, which amends California’s breach notification statutes, California Civil Code Section 1798.29 and 1798.82,[1] to require notice upon the unauthorized disclosure of certain information that would permit access to an online account. California is the first state to broaden the definition of “personal information” (PI) to include online account log-in or access data—specifically, email address or user name, together with the password or security question and answer used to access any online accounts, including email accounts.
Prior to this amendment, California required breach notification only upon the unauthorized acquisition of an individual’s first name or initial and last name, together with the individual’s social security number, driver’s license or state identification number, medical information, health information, or account, credit card or debit card number in combination with any required security or access codes.
Notification Methods Vary Based on Type of Data Breach
Different notification requirements will apply depending on the type of information that has been breached:
-
Non-email account login information: When a breach involves only login information for online accounts other than email accounts with the breached entity, the entity may send the security breach notification in electronic or other form, but must direct the individual to change his or her password and security question or answer, or to take other appropriate steps to protect the breached online account and all other online accounts with the same user name or email address and password or security question or answer.
-
Email account login information: When a breach involves only login information for email accounts furnished by the breached entity, the entity cannot meet the statutory notification obligation by sending the notice to the affected email address. Instead, notice must be accomplished either by the previously available notification methods (generally physical mail or, in some circumstances, notice to another email address) or by clear and conspicuous notice delivered to the affected individual online when the individual is connected to the online account from an IP address or online location the individual customarily uses to access that account.
-
Both account login information & other PI: When a breach involves online account login information together with any other type of PI requiring notification under the existing statute, the notification obligation remains unchanged.
In addition, if more than 500 accounts of California residents are affected, a copy of the electronic notice needs to be submitted to a California Attorney General.
California’s expansion of the types personal information that will trigger notification obligation may fuel movements for similar amendments in other states as well as possible legislation by the federal government.
Because, California’s expanded breach notification statute could affect many entities not previously subject to data breach notification obligations, all entities that conduct business with California residents online should assess their current data security procedures and breach incident response plans to ensure future compliance with the amended statute.
For a summary of current breach notification requirements in the 46 States, D.C. and Puerto Rico, please visit our Security Breach Notification Chart.
[1] Cal. Civil Code § 1798.29 applies to state and local government agencies in California. Cal. Civil Code § 1798.82 applies to all persons and businesses doing business in California. The same changes were made to both statutes.
