888-448-5451 [email protected]

FEBRUARY 8, 2012

As a reminder, any business or entity that conducts business within California and collects and holds Personally Identifiable Information (PII) is now subject to Senate Bill 24, which amends the California breach notification law.

This new bill aims to strengthen the state’s groundbreaking SB 1386 security breach notification law by mandating how and what content to include when notifying affected individuals after January 1, 2012.

To begin, SB 24 requires that the notice to California residents be written in plain language. I believe this to mean at a level easy to understand without the legalese.

Additional content required must include the following:

  • The types of information breached.
  • When the breach occurred or a range of suspected dates.
  • The name and contact of the person or business reporting the breach.
  • Whether the notification was delayed as a result of a law enforcement investigation.
  • A general description of the breach incident.
  • The toll-free telephone numbers and addresses of the major credit reporting agencies, if the breach exposed a social security number or a driver’s license or California identification card number.

At the discretion of the business, the security breach notification may also include what is being done to protect the individual whose information was compromised.  We urge businesses to add this because it can restore trust and may reduce customer churn.

In addition, SB 24 now requires businesses and state agencies notifying more than 500 California residents in a single breach to submit an electronic reporting form online and upload a sample copy of the notification letter being sent to the affected individual.

HIPAA-covered entities are deemed to have complied with the notice requirements if they have complied with the similar breach notification requirements of the HITECH Act.  This means that a HITECH Act notification satisfies the content requirements of SB24, but nothing more.  HIPAA-covered entities must still notify the Attorney General if more than 500 California residents need to be notified.

NCX encourages all organizations to establish a comprehensive information security program that includes a thorough incident response program.  Don’t forget to review SB24 and update your notification policies to include the new requirements.

Posted by Mike Fitzpatrick, CRISC, CEO, NCX Group