Proposed California Breach Notification Law Could Impact Your Organization

In 2002, California enacted the first security breach notification law in the United States. Since that time, nearly every state has enacted similar laws requiring organizations to notify users if an unauthorized person accesses their personal information.There is currently no such law at the federal level, though several have been proposed, and each state’s laws vary slightly. As a result, organizations are left to identify their compliance requirements, which can be extremely difficult, costly, and may not make all that much sense. The most reasonable solution is usually to identify the strictest set of guidelines and simply follow them for all security breach notifications. In effect, the state with the most stringent security breach notification law has become the de facto federal law.

The 47 states that currently have similar security breach notification laws in place all define personal information as social security numbers, credit card numbers, bank account information, and data of that nature. California is now seeking to amend its law by changing the definition of personal information to include usernames and passwords. California led the way 11 years ago in this area and most states followed suit. What remains to be seen now is if other states will once again follow California’s example and expand the definition of personal information. Will the federal government incorporate this wider definition when and if it passes its own law?

In the mean time, organizations need to take this time to evaluate their privacy disclosure procedures. There are lots of excuses to put this off; the California law hasn’t been passed yet; or you may not currently be doing any business in California. However, business is always changing and those that thrive are those that anticipate and prepare for those changes. It’s only a matter of time before this law or one similar is passed. First, ensure your current procedures meet current requirements. Then, consider what planned changes your business is expecting and how they may affect your requirements with specific consideration given to a law similar to the one proposed in California. This will help you ensure you maintain compliance and avoid penalties.