Enter to open, tab to navigate, enter to select
California Amends Security Breach Notification Law
Practical Law Legal Update 2-543-8306 (Approx. 3 pages)
California Amends Security Breach Notification Law
by Practical Law Intellectual Property & Technology
| Published on 30 Sep 2013 • USA (National/Federal) |
Two bills amending California's security breach notification laws were signed into law on September 27, 2013.
On September 27, 2013, California Governor Jerry Brown signed two bills, SB 46 and AB 1149 into law, amending California's security breach notification laws, California Civil Code sections 1798.82 (applicable to persons and businesses) and 1798.29 (applicable to agencies). The amendments, which will become effective January 1, 2014, may impact businesses that collect and store personal information of consumers who are California residents.
Most significantly, the amendments expand the scope of the data security breach law to cover user names and email addresses, when disclosed with related password or security information. In addition to expanding the notification requirements under California law, these amendments may have an influence on a similar expansion of security breach laws that exist in 45 other states.
Among other changes, the amendments:
- Add "[a] user name or email address, in combination with a password or security question and answer that would permit access to an online account" to the list of data elements that constitute personal information that may trigger notification requirements.
- Provide that, in a breach involving such online account information and no other personal information, a person or business may comply by:
- providing the security breach notification in electronic or other form that directs the person whose personal information has been breached promptly to change his or her password and security question or answer; or
- taking other steps appropriate to protect the online account with the person or business and all other online accounts for which the person whose personal information has been breached uses the same user name or email address and password or security question or answer.
- Provide that, where such a breach involves login credentials of an email account furnished by the person or business, a person or business may not comply by providing the security breach notification to that email address, but must instead may comply by providing notice by:
- another method described in the law, such as written notice; or
- clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an IP address or online location from which the person or business knows the resident customarily accesses the account.