Another State Amends its Breach Notification Law

Following recent amendments by Illinois and Texas, California amends its existing data breach notification requirements. http://www.senatorsimitian.com/entry/sb_0024_data_breach_notification/ California was the first state to require notification if personally identifiable information is compromised, and since its introduction in 2003, all but two other US states have enacted similar laws. While many commentators are claiming this amendment “blazes a new trail,” http://www.scmagazineus.com/california-blazes-trail-again-with-enhanced-breach-alert-law/article/211005/ the amendment actually adopts a requirement imposed in some form by 18 others states, namely a breach affecting 500 or more individuals must be reported to the state attorney general's office by letter.

In addition, California joins at least 14 other states that require certain detail in the breach notification letters.  Notices to California residents must now (a) specify what data may have been compromised and the date of the compromise, (b) describe the incident, and (c) offer advice for protection against identity fraud, including numbers and addresses for the major credit bureaus.  California’s mandate conflicts directly with the requirements of Massachusetts (presumably to avoid the creation of security risks – knowledge is power), which states that “said notification shall not include the nature of the breach or unauthorized acquisition or use or the number of residents of the commonwealth affected by said breach or unauthorized access or use.” http://www.malegislature.gov/Laws/SessionLaws/Acts/2007/Chapter82

Congress has been debating and considering the scope of preemption of state law by any federal breach notice legislation.  It will be interesting to see how this conflict between security and consumer education will be resolved.