California’s New Data Breach Notification Requirements Effective January 1, 2016

When the California legislature closed out their 2015 session on September 11 of 2015, they sent three bills to Governor Jerry Brown proposing amendments to the state’s data breach laws which were all signed into law on October 6 and took effect January 1, 2016. The new laws address what license plate data automated readers may collect, defined encryption, and critically, made significant changes to the details of the required content and format of data breach notifications.  S.B. 570 specified that data breach notices must be titled “Notice of Data Breach” and be broken into sections titled “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do” and “For More Information.”  Notice formatting must be in at least 10-point font and call attention to the notice’s “nature and significance.” A model notification, which companies may use to comply with these content amendments, is also provided in the bill (see below). These formatting requirements would not be prohibited under other state breach notification laws, and so we will likely soon see this format become a de facto national standard for efficiency’s sake.

The amendments further clarify that breach notification may be given online if clear and conspicuous, but may not be sent to an email address if credentials for that email address were compromised in the breach. They also clarify that notification posted to a company’s website must stay posted for a minimum of 30 days and must be “conspicuously” posted, which requires the link on the company home page to be in larger text or in text with contrasting font, color, or formatting, or to be set off by surrounding symbols that draw attention to the notice.

The Model Security Breach Notification Form:

Cal. Civ. Code § 1798.29(d)(1)(D): For a written notice described in paragraph (1) of subdivision (i), use of the model security breach notification form prescribed below or use of the headings described in this paragraph with the information described in paragraph (2), written in plain language, shall be deemed to be in compliance with this subdivision.

[NAME OF INSTITUTION / LOGO]   _____ _____  Date: [insert date]


What Happened?

What Information Was Involved?

What We Are Doing.

What You Can Do.

Other Important Information.

[insert other important information]

For More Information. Call [telephone number] or go to [Internet Web site]