California law would require breach notice if online account information is stolen

Share this article:

The state Senate in California unanimously has passed a law that would require organizations that are breached to alert victims when intruders access online account information belonging to consumers.

Existing state law only requires notification when unauthorized individuals obtain "unencrypted Social Security numbers, driver's license numbers, medical information, health insurance information and specific financial account information, such as credit card numbers with security codes," according to Senate Majority Leader Ellen Corbett, who introduced the measure.

The new legislation, passed last week, would amend the definition of "personal information" under the state's breach notification law to also include "a username or email address, in combination with a password or security question and answer that would permit access to an online account."

Many consumers use the same login information across several websites, so theft of this data from one entity could allow fraudsters to potentially raid other accounts, such as online banking. According to documents chronicling the bill's history, it appears the flurry of mega password breaches this year, affecting companies like Yahoo and LinkedIn, prompted the update to the breach notification law.

“Cyber criminals are becoming increasingly savvy, particularly now that more individuals are using laptops, smartphones and even tablets to conduct personal business and shop online," Corbett said in a statement. "It is critical that consumers are informed whenever their information is accessed or stolen to minimize potential theft and damages."

The bill, dubbed SB-46, now makes its way to the state Assembly.

In 2003, California was the first state to enact a data breach notification law. Since then, nearly all other states have followed suit. There is no federal law, though there are national notification guidelines related to health care breaches.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Beazley: employee errors root of most data breaches, but malware incidents cost ...

Insurance firm Beazley analyzed more than 1,500 data breaches it serviced between 2013 and 2014.

Apple issues seven updates, fixes more than 40 vulnerabilities in iOS 8, OS 10.9.5

Apple issues seven updates, fixes more than 40 ...

In one of its infrequent "Update Surprisedays," Apple plugged holes, boosted security and added features.

Canadian telecom co. Telus unveils first transparency report

The company received more than 100,000 government requests for customer data last year.