Home

New California Privacy-Breach Reporting Rule

Sep 26, 2011

DOWNLOAD PDF

Oakland, CA, Sept. 26, 2011 – Two weeks ago, Governor Brown signed into law California Senate Bill (SB) 24. This law updates California’s privacy-reporting laws—Civil Code 1798.29 and 1798.82—and becomes effective on January 1, 2012. It specifies when, who, what and how victims must be notified about breaches of financial, healthcare or personal information.

WHEN—The disclosure of a healthcare breach remains five days. The disclosure of financial data remains "in the most expedient time possible and without unreasonable delay." Both deadlines can be waived by the needs of law enforcement, and any lost encrypted data is exempted from notice.

WHO—Notice must now be sent electronically to the attorney general whenever a breach affects more than 500 state citizens. As before, notice must be sent individually to victims or potential victims of any "breach of the security." Distribution can vary with the size of the breach ranging from post, email, websites, and media."

WHAT—As before, "breach of security" means unauthorized access to computerized "personal information" defined as an individual's name in combination with any one or more of the following:

  • - Social-security number
  • - Driver's license number or California Identification Card number
  • - Financial account number, credit or debit-card numbers with access codes or passwords
  • - Medical information
  • - Health-insurance information

HOW—The law specifies and expands the information to be sent to victims. All notifications must be written in plain language and shall include:

  • - The name and contact information of the breach-reporting firm
  • - A list of the types of personal information that were breached
  • - The date or date range estimated for the breach
  • - The date of notice and whether notification was delayed by law enforcement
  • - A general description of the breach incident
  • - The toll-free phone numbers and addresses of the major credit-reporting agencies
  • - Optionally, what has been done to protect victims; advice on how to protect oneself

If you have questions, please contact your Barney & Barney representative, or:

  • Arturo Pérez-Reyes
  • Client Executive: Privacy
  • Phone: (510) 466-6044
  • Cell: (510) 418-8708
  • apr@barneyandbarney.com

Back to News