California Increases Data Breach Notification Detail Requirements

  • Fraud Prevention, Security

California has passed a bill that requires companies to provide more information to their consumers when a data breach occurs. The Senate Bill 24 establishes standards for the details to be included in data breach notifications; which builds off Senate Bill 1386 which required organizations to notify individuals after a breach of personal information.

The bill also requires companies to send an electronic copy of the notification to the state attorney general if the breach affects more than 500 people in the state of California. Senator Simitian said this bill is the next logical step to ensure consumers have the specific information they need to protect themselves after a data breach.

The new fraud prevention bill requires that breach notifications must be:

  • Be written in plain language;
  • Include the name and contact information of the agency breached;
  • Provide a list of the personal information reasonably believed to have been subject to the breach;
  • Spell out the date of the breach, the estimated date of the breach or the date range within which the breach occurred;
  • Specify whether the id verification notification was delayed as a result of a law enforcement investigation;
  • Offer a general description of the breach incident;
  • Provide toll-free telephone numbers and addresses of the major credit reporting agencies, if the breach exposed a Social Security number or a driver's license or California identification card number;
  • Include information about what the organization has done to protect individuals whose information was breached;and
  • Outline steps individuals may take to protect himself or herself.