The California Legislature recently passed two bills that would substantially change California’s data breach notification law, and impose new burdens on retailers. These bills, Assembly Bill 779 (“AB 779”) and Assembly Bill 1298 (“AB 1298”), have been sent to Governor Schwarzenegger for his signature.[1] If enacted, these bills will:

(1) regulate the storage, retention, transmission, and security measures for credit card, debit

card, and other payment-related data;

(2) require more detailed notifications in the event of certain breaches of payment-related data;

(3) shift the costs of breach notification to retailers and other merchants, if they fail to comply

with these new limitations on handling of payment-related data; and

(4) expand the data breach notification law to cover medical information and health insurance

information.

As our Firm has reported, similar legislation has already been enacted in Minnesota, and has been under consideration in Connecticut, Illinois, Massachusetts, and Texas.[2] If enacted, AB 779 and AB 1298 would take effect on July 1, 2008.