New rules on data breach notification in California cover e-mail addresses
28 November 2013
On 27 September the Senate Bill no 46 was approved, amending the existing California rules on the mandatory notification of data breaches.
Effective 1 January 2014, the obligation to notify California residents of data breaches affecting them will cover breaches of unencrypted names, and user name or e-mail address together with a password or security question and answer which will enable access to an online account.
Another important amendment approved by this bill refers to the means in which these breaches must be notified - given the specific type of information in question, the business may notify the individuals electronically, directing them to change their online account information.
If however the breached information included e-mail log-in information, the electronical notice can only be submitted to the affected individuals when they are logging in from their usual IP address or online location.
From now until 1 January 2014, businesses with operations in California should review their internal data breach procedures to make sure they contemplate these new rules. Also, for multinational groups, such an exercise will be a positive step towards compliance with the new EU General Data Protection Regulation, which we expect will be approved by Spring 2014.
For more information please contact Robert Bond, Partner