California has passed a bill that requires
companies to provide more information to their consumers when a data breach
occurs. The Senate
Bill 24 establishes standards for the details to be included in data breach
notifications; which builds off Senate Bill 1386 which required organizations
to notify individuals after a breach of personal information.
The bill also requires companies to send an
electronic copy of the notification to the state attorney general if the breach
affects more than 500 people in the state of California. Senator Simitian said
this bill is the next logical step to ensure consumers have the specific
information they need to protect themselves after a data breach.
The new fraud prevention bill
requires that breach notifications must be:
- Be written in plain language;
- Include the name and contact information
of the agency breached; - Provide a list of the personal
information reasonably believed to have been subject to the breach; - Spell out the date of the breach, the
estimated date of the breach or the date range within which the breach
occurred; - Specify whether the id
verification notification was delayed as a result of a law enforcement
investigation; - Offer a general description of the
breach incident; - Provide toll-free telephone numbers and
addresses of the major credit reporting agencies, if the breach exposed a
Social Security number or a driver’s license or California identification
card number; - Include information about what the
organization has done to protect individuals whose information was
breached;and - Outline steps individuals may take to
protect himself or herself.
