Ah California – the land of dreams where the sun is shining and your privacy is respected. Less than a month ago, California’s legislature proposed a new bill (Assembly Bill 1130) that claims to patch some loopholes in the current law. This new bill would change the definition of personal information to be more inclusive, thereby adding a requirement to disclose a breach when such information is compromised.
In general, California’s breach notification law (The Information Practices Act of 1977) applies to governmental agencies, people and businesses that own or license data that include personal information. It requires the disclosure of any breach of the security of the data to any California resident (1) whose unencrypted personal information was, or is reasonably believed to have been acquired by an unauthorized person, or (2) whose encrypted personal information was, or is reasonably believed to have been acquired by an unauthorized person and the encryption key was also acquired by such person and the data holder has a reasonable belief that the encryption key could render the information readable or usable. The disclosure must be made in the most expedient time possible.
The data breach notification itself must meet the following requirements:
- The notification must be written in lain language and must be titled “Notice of Data Breach” and must present the required information under the following headings: “What Happened” ,”What Information Was Involved”, “What We Are Doing”, “What You Can Do”, and “For More Information.”
- The format of the notice must be designed to call attention to the nature and significance of the information in the notice.
- The title and headings of the notice must be clearly and conspicuously displayed.
- The text of the notice and any other notice provided must be no smaller than 10-point type.
And, if the above isn’t clear enough, the law even provides a template form that one could use for the breach notification letter.
So if The Information Practices Act of 1977 was so great, why is this new bill being proposed to amend it? Well, the older law did not include other government-issued identification numbers, nor biometric data. In what seems like a nod to the Illinois Biometric Information Privacy Act, the proposed California bill includes biometric data as a category of personal data that requires a notification if it is accessed by an unauthorized party. The proposed update includes unique biometric data generated from measurements or a technical analysis of human body characteristics, such as fingerprint, retina, or iris image, or other unique physical representation or digital representation of biometric data in its definition of “personal information.”
Protect yo’ self,