The joint regulatory agencies issued this morning a proposed guidance document on response programs for unauthorized access to consumer information. Part of the proposed guidance stipulates the circumstances requiring customer notification and the content of such notification.

I know California recently enacted a law requiring consumer notification whenever there was a breach of information systems with information pertaining to residents of California. In the proposal today, the agencies are proposing that consumer notification would only be required when sensitive customer information as opposed to any customer information is compromised. Is the language in the proposal today consistent or contradictory to the requirements of this California law? I know I could go dig out the California law, but thought one of you folks that are already more intimately familiar with it could give me a quick take.