California Significantly Expands Privacy Breach Notification Law September 22nd, 2011Data Security-Privacy Privacy/Security California Significantly Expands Privacy Breach Notification Law Alexander P. Woollcott California Governor Jerry Brown recently signed into law an amendment to California’s landmark data security breach notification law (Senate Bill No. 1386), first enacted in 2003. The original law, S.B. 1386, requires companies doing business with California residents to provide notice to the residents of any actual or suspected security breach involving unencrypted personal information or data of the residents that had been collected and maintained by the company. The amendment to S.B. 1386 (Senate Bill No. 24) significantly broadens the protection given to California residents by imposing additional obligations on companies that are doing business with California residents. First, S.B. 24 specifies certain information that must be communicated in the notice of breach. Second, S.B. 24 requires that California’s attorney general be notified about the data security breach if more than 500 California residents are affected by the breach. Third, entities that are subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are deemed to be in compliance with S.B. 1386 and S.B. 24 if those entities have complied with the privacy breach notifications under HIPAA. The new law takes effect on January 1, 2012. S.B. 24 is expected by many to usher in a similar broadening of the security and privacy laws in other states.