California toughens breach notification law

California Governor Edmund Brown has signed on Tuesday new legislation that will strengthen privacy and consumer protections in the state.

The new set of bills will, among other things, require each state agency and department to conspicuously post its privacy policy on its website, and companies to offer identity theft prevention and mitigation services to consumers following data security breaches.

“If the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed personal information,” it is defined.

The latter bill also addresses what form a breach notification must take, what it must include, and when it must be sent out and to whom.

It’s also interesting to note that it applies only to breaches in which unencrypted personal information is believed to have been compromised.

This bill doesn’t apply to providers of health care, health care service plans, or contractors regulated by the Confidentiality of Medical Information Act; financial institutions subject to the California Financial Information Privacy Act; entities governed by the medical privacy and security rules issued by the federal Department of Health and Human Services under the Health Insurance Portability and Availability Act (HIPAA); entities that obtain information under an agreement pursuant to the Vehicle Code; and businesses that are regulated by state or federal law providing greater protection to personal information than that provided by this law.