California law would require breach notice if online account information is stolen

Share this article:

The state Senate in California unanimously has passed a law that would require organizations that are breached to alert victims when intruders access online account information belonging to consumers.

Existing state law only requires notification when unauthorized individuals obtain "unencrypted Social Security numbers, driver's license numbers, medical information, health insurance information and specific financial account information, such as credit card numbers with security codes," according to Senate Majority Leader Ellen Corbett, who introduced the measure.

The new legislation, passed last week, would amend the definition of "personal information" under the state's breach notification law to also include "a username or email address, in combination with a password or security question and answer that would permit access to an online account."

Many consumers use the same login information across several websites, so theft of this data from one entity could allow fraudsters to potentially raid other accounts, such as online banking. According to documents chronicling the bill's history, it appears the flurry of mega password breaches this year, affecting companies like Yahoo and LinkedIn, prompted the update to the breach notification law.

“Cyber criminals are becoming increasingly savvy, particularly now that more individuals are using laptops, smartphones and even tablets to conduct personal business and shop online," Corbett said in a statement. "It is critical that consumers are informed whenever their information is accessed or stolen to minimize potential theft and damages."

The bill, dubbed SB-46, now makes its way to the state Assembly.

In 2003, California was the first state to enact a data breach notification law. Since then, nearly all other states have followed suit. There is no federal law, though there are national notification guidelines related to health care breaches.

Share this article:

Sign up to our newsletters

More in News

Five schools earn NSA's excellence in cyber ops distinction

The schools earned NSA's Centers for Academic Excellence designation for their cyber offerings.

With RATs at their disposal, 419 scammers target businesses

With RATs at their disposal, 419 scammers target ...

A new report reveals how Nigeria's 419 scammers are spreading malware to pocket business funds.

InfoSec pros worried BYOD ushers in security exploits, survey says

InfoSec pros worried BYOD ushers in security exploits, ...

A study by the Information Security Community on LinkedIn found most organizations don't have proper polices and support for BYOD.