The new law, SB 24, updates California’s 2002 data breach notification law, which did not contain rules about what information should be include in notification letters.
SB 24 establishes rules for what information must be in the data breach notification letter, including a general description of the data breach incident, the type of information breached, the time of the breach, and contact information for major credit reporting agencies.
In addition, the new law requires organizations to send an electronic copy of the data breach notification letter to the state attorney general, if a single data breach affects more than 500 Californians.
“Senate Bill 24 is the logical next step to ensure consumers have the specific information they need to protect themselves after a data breach. No one likes to get the news that personal information about them has been stolen. But when it happens, people deserve to get the information they need to decide what to do next”, said State Senator Joe Simitian (D-Palo Alto), who sponsored the bill.
A survey by the Samuelson Law, Technology & Public Policy Clinic at the University of California at Berkeley found that 28% of data breach victims receiving a data breach notification letter “do not understand the potential consequences of the breach after reading the letter”, Simitian noted.
Richard Holober, executive director of the Consumer Federation of California, commented on the enactment of SB 24: “Privacy notification laws won't stop every security lapse from happening. But they will make businesses and agencies take more precautions to safeguard their data files. And if you ever do get that dreaded letter in the mail, you'll be able to do something about it.”