On January 1, 2012 California’s Expanded Data Breach Notification Becomes Effective

California’s recently expanded Identity Theft Law takes effect January 1, 2012.

Earlier this year, Governor Jerry Brown signed into law SD 24 which expands on the state’s data breach and identity theft notification requirements. The law establishes specific content for data breach notifications that must be sent to consumers.

The notification must now include the following:
• A general description of the data breach.
• What type of personal information was subject to the breach.
• The date and time the breach occurred.
• Whether notification was delayed due to a law enforcement investigation.
• The toll-free telephone numbers and addresses of three credit bureaus, if the breach exposed social security numbers, driver’s licenses or California identification card numbers.
• Entities that have sustained a breach must notify the California Attorney General if the breach effects more than 500 people.

The enhanced law once again demonstrates the importance of a specific privacy and data breach plan for all businesses that handle consumers data information. Data breach law is continually changing and businesses need to be prepared to address a breach the moment it occurs. Other states are more than likely to follow California’s path and increase notification requirements unless a national cyber security law is enacted by the United States Congress.