Late last week the California State Senate passed SB 46 which requires all California entities, both private and governmental, to notify customers upon the discovery of a security breach. The law is similar to HIPAA in its notification requirements when it comes to security breaches affecting companies that store any customer information. The federal HIPAA law applies only to medical service providers that store patient health information, whereas existing California law applies to all entities storing customer data:
Existing law currently requires the groups noted above to notify their clients or customers when they reasonably believe that an unauthorized person has acquired personal information that includes unencrypted social security numbers, driver’s license numbers, medical information, health insurance information and specific financial account information, such as credit card numbers with security codes. Unfortunately, current law does not require similar customer notification when passwords, usernames or security questions / answers are changed.
So it would seem that the newly proposed SB 46 would even further expand California’s expansion on HIPAA, requiring data-holders to notify customers of breach regardless of the type of information accessed.
Enter your email to get started.