California Updates Data Breach Law to Require More Incident Details

California Gov. Jerry Brown signed into law a bill that defines exactly what organizations have to disclose in case of a data breach.

California has updated its data breach notification law to further define what organizations have to do in case customer data is stolen.

The bill, SB-24, updates California's current data breach notification law by requiring organizations to include in the breach notification letters the specifics of the security incident and advice on steps customers should take. The bill also includes provisions mandating that if the security breach affected 500 or more people, the organization must submit a copy of the letter to the state attorney general's office. The bill was signed into law Aug. 31 by Gov. Jerry Brown and will take effect on Jan. 1, 2012.

The breach notification letters must include information such as the type of personal information exposed, a description of what happened, time of the breach, and toll-free telephone numbers and addresses of major credit reporting agencies in California, according to the new law. The original law did not specify what information had to be included in the letters. The new law also requires the letters to be sent "in the most expedient time possible and without unreasonable delay."

"No one likes to get the news that personal information about them has been stolen," said State Sen. Joe Simitian (D), the bill's sponsor. "But when it happens, people deserve to get the information they need to decide what to do next."

About 28 percent of data breach victims receiving a security breach notification letter "do not understand the potential consequences of the breach after reading the letter," Simitian said, referring to a recent survey by the Samuelson Law, Technology & Public Policy Clinic at the University of California, Berkeley.

Any organization that stores any kind of personal information must send out notification letters as soon as it discovers a security breach in which "unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person," according to the new law. If the law enforcement agency involved decides that disclosing the breach and notifying the victims would impede the criminal investigation into the incident, then the notification "may be delayed."

"Recently, we've see an increase in pressure for companies involved in data breach to report increasingly specific data, and in an increasingly timely manner, this effort from California legislation appears poised to do just that," wrote Cameron Camp, a security researcher at ESET, on the ESET Threat blog.

California was the first state to pass a law eight years ago requiring companies to alert California residents if their personal data was accessed illegally in a data breach. Since then, nearly all the other states have followed suit with their versions of that law. All the states have slightly different requirements, resulting in President Obama to request a nationaldata breach notification law so organizations don't need to negotiate a "patchwork of 47 state laws." There are multipledata breach notification bills currently circulating in the House of Representatives and the Senate.

California is often at the forefront of consumer privacy. Along with the first data breach notification law, the state legislature was considering a "Do Not Track" law to restrict how Web services and companies collect data online for California residents.

Even though the law applies only to California residents affected by the breach, it will have an impact across state lines. Organizations are not likely to issue two sets of letters, one for California residents and one for other states, after a data breach. Organizations will have to adjust their data breach notification policies to make sure they are including the information required under the law for future incidents.

SB-24 had been vetoed twice by former Gov. Arnold Schwarzenegger. Schwarzenegger had said there was no proof the additional information in the letter would actually help consumers. He also did not want the attorney general's office to become a "repository" for breach notifications.

Massachusetts and New Hampshire require organizations to notify the state attorney general in case of a data breach affecting their residents.

Simitian had said in the past that notifying the attorney general would give law enforcement officials the information needed to identify patterns in data theft to define the scope of the threat.

Privacy Rights Clearinghouse estimates that at least 500 million sensitive records have been compromised nationwide since 2005. There have been a number of sensitive records compromised in 2011 alone, with multiple breaches on Sony servers and various third-party organizations hit by random attackers.