According to a tweet from World Privacy Forum, California state governor just signed an update to a data breach notification law that would require organizations to submit a sample of the breach notification sent to customers also to the Attorney General, to ensure what’s being sent out, and that it’s sent out in a timely manner.
State Senate bill 24, states that: “any agency, person, or business that is required to issue a security breach notification to more than 500 California residents pursuant to existing law to electronically submit a single sample copy of that security breach notification to the Attorney General, as specified.” Continuing, “any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”
Regarding the timeliness of the notification, it continues, “The disclosure shall be made in the most expedient time possible and without unreasonable delay.” Of course, terms like “most expedient time possible”, are sure to be tested in real world cases in the future. The law specifies the notification should occur “immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” With one caveat that notification, “may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The notification required by this section shall be made after the law enforcement agency determines that it will not compromise the investigation.”
The customer/Attorney General notification is to be written in plain language, and must include a “list of the types of personal information that were or are reasonably believed to have been the subject of a breach.”
Recently, we’ve see an increase in pressure for companies involved in data breach to report increasingly specific data, and in an increasingly timely manner, this effort from California legislation appears poised to do just that.