On September 27, California Governor Brown once again signed into law a bill amending the state’s breach law (“S.B. 46”). This latest amendment is particularly significant because it represents the first major effort by a state to require notice to consumers of breaches involving the types of information that consumers use to access online accounts. Historically, the focus of the state breach laws has been on the types of personal information that could be used to commit identity theft or fraud, such as Social Security numbers, driver’s license numbers and financial account numbers. California has now tailored its law to recognize the significance and sensitivity of the information that consumers use to access their online accounts. Although it is not clear the extent to which other states may follow California’s lead, S.B. 46 represents a significant progression in the evolution of state breach laws.
S.B. 46, THE CALIFORNIA BREACH AMENDMENT -
S.B. 46 amends the state breach law’s definition of “personal information” to cover certain types of consumer online credentialing and authentication information. Specifically, S.B. 46 provides that, effective January 1, 2014, “[a] user name or email address, in combination with a password or security question and answer that would permit access to an online account” is considered “personal information” for purposes of the state’s breach law.
Please see full publication below for more information.
