Security Breach Notification Act

“In April of 2002, hackers entered the California state government system and accessed personal information over 200,000 state employees ranging from the governor to janitors. Worse yet, the government did not notify the employees until weeks after the incident occurred.” – Kinley Levack (EContent)

Due to the identity theft concerns regarding this intrusion, the Security Breach Notification Act passed into law in California July 1, 2003 to address privacy notification concerns of the public. This is a state law, but has wide reaching impact for a majority of businesses across the nation which now must comply with this state law. The act mandates any business that releases accidental or otherwise, “personal information” of any resident of California must disclose such within a reasonable period. Due to the nature of the wording, any company conducting business with any California resident is required to comply with the law. The Security Breach Notification Act addresses the following:

  • Companies, Agencies, or persons conducting business in California must disclose any breach to California residents

  • Timely disclosure must occur for all occurrences

  • Companies may not share information with affiliates without consumer approval

  • “The disclosure shall be made in the most expedient time possible and without unreasonable delay” – (Sec. (2)(a) The intention of this law is to ensure consumers are made aware when their data is received by unauthorized person(s). However, the wording within the bill provides entities that are not aware of a disclosure to not be liable for such disclosures or alerts to customers. “.reasonably believed to have been, acquired by an unauthorized person” (Sec. 2 (a)) SB-1386 provides ‘rights of action’ for consumers to file a civil case against any noncompliant organization. This legal pressure is unique to this state law as most federal cases do not provide ‘rights of action’ for consumers.

IT Governance

  • Organizations must ensure the security and confidentiality of customer records and information as required by SB-1386

  • Organizations must be able to monitor and identify attacks or penetrations in a timely and knowledgeable manner.