Q

SB-46 analysis: How California data breach notification law changed

The scope of California data breach notification law expanded thanks to SB-46. Expert Mike Chapple details some of the most pressing changes.

In the wake of the state of California releasing its first data breach report, a new bill, SB-46, would expand the state's data breach laws to require notification if online account data is compromised. Assuming it becomes law, what's the best way to lay the groundwork for compliance efforts?

Ask the expert!

Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

Under California law, organizations that suffer a security breach are required to notify California residents when the security of their personal information may be affected. Until recently, the definition of personal information was limited to a full name (or first initial and last name) in conjunction with a sensitive data element, such as a Social Security number, driver's license number, medical records or financial account information.

SB-46, which recently became law after working its way through the California legislative process, expands these requirements to cover information that permits access to an online account. The specific language extends the law to include "a user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account." SB-46 greatly increases the number of organizations required to comply with the California data breach notification law, as it affects virtually every website that provides user accounts.

Organizations should first identify activities that involve the handling of user account information. Using strong cryptography to protect this information, where practical, may provide both a good degree of security and protection from SB-46, as it likely applies only to the compromise of unencrypted information. At the same time, this may serve as an opportunity to review existing breach notification practices to ensure that they comply with the law in the jurisdiction(s) where an organization operates.

This was first published in October 2013

Dig deeper on Data Privacy and Protection

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close