Effective July 1, 2003, California has a new law that requires anyone conducting business in California that owns or licenses computerized data that includes personal information, as defined below, must disclose any breach of security of the system to any resident of California if it is reasonably believed that his or her unencrypted personal information was acquired by an unauthorized person.
In addition, anyone that maintains computerized data that includes personal information that the person or business does not own shall notify the owner or licensee of the information of any breach if it is reasonably believed that unencrypted personal information was acquired by an unauthorized person.
The law sets out the specific types of notice deemed appropriate. Notice must be made in the most expedient time possible and without unreasonable delay. The notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The notification required must be made after the law enforcement agency determines that it will not compromise the investigation.
For the purposes of this law, “Personal Information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements when either the name or the data elements are not encrypted:
a) social security number;
b) driver’s license number or California identification card number;
c) account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to that individual’s financial account.
For purposes of this law, “Personal Information” does not include publicly available information that is lawfully made available to the general public from federal, state or local government records.