What Personal Information Is Protected by the Law?

The law defines "personal information" as an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

• Social Security number,
• Driver's license number or California Identification Card number, and/or
• Financial information, such as an account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the account or card.

Personal information does not include publicly available information that is lawfully made available to the general public from federal, state or local government records.

What Constitutes a Breach of Security?

A "breach of the security of the system" means the unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information maintained by an individual or business.

Good-faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business is not considered to be a breach of the security of the system - provided that the personal information is not used or subject to further unauthorized disclosure.

What Form Must the Disclosure Take?

Notice can be made in writing or electronically, in accordance with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 of the United States Code.** If (1) the cost of providing notice using either of these methods exceeds $250,000 or (2) the number of people to be notified exceeds 500,000, then a substitute notice can be sent in one of the following ways:

• E-mail notice when the person or business has an e-mail address for the subject persons,
• Conspicuous posting of the notice on the Web site of the person or business whose computer system was breached, or
• Notification to major statewide media.

By When Must Notice Be Given?

The disclosure must be made in the most expedient time possible and without unreasonable delay, subject to any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. However, the notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.

Are Public Sector Entities and Sponsors of Multiemployer Plans Affected?

The law applies to "any person or business that maintains computerized data that includes personal information" and to California state agencies, but not to counties, cities, school districts or their boards, commissions or agencies. It is unclear whether the law will apply to ERISA plans, including multiemployer pension and group health plans, or will be preempted by ERISA.

What Are the Penalties for Noncompliance?

SB 1386 adds section 1798.84 to the California Civil Code on remedies and provides that:

• Any customer injured by a violation of this title may institute a civil action to recover damages,
• Any business that violates, proposes to violate, or has violated this title may be enjoined, and
• The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law.

Implications