In less than two months, when S.B. 46 becomes effective on January 1, 2014, California will extend its data breach notification requirements to a new area: individual online user accounts. Clients should take note of this significant development. It is a substantial enlargement of the notification burdens that many companies face (in particular, companies that conduct business in California and that own or license computerized data including personal information), and is indicative of, and may prefigure, other jurisdictions’ efforts to update their privacy laws to ensure online privacy in emerging areas.

S.B. 46 Broadens California’s Current Data Breach Notification Requirements Under current California law, a business that owns or licenses computerized “personal information” must “disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” “Personal information” means “an individual’s first name or first initial and last name” in combination with one or more additional data elements. These data elements include a variety of individual identifiers: social security numbers; driver’s license or state identification card numbers; bank-, credit-, or debit-card numbers (when combined with the account’s access or security code, or password); medical information; and health insurance information. “Personal information” does not include information that is publicly available through federal, state, or local government records...