Chapter 2: U.S. Legal Framework
Applying the Framework: California SB 1386 Breach Notification
California SB 1386 was the first breach-notification law. It covers entities doing business in California that hold computerized personal information, requires expedient notice of breaches of unencrypted data, is enforced by the California AG with a private right of action, and exists to fight identity theft.
| Question | Answer |
|---|---|
| Who is covered? | Entities doing business in California that own or license computerized data with personal information (natural persons, legal persons, government agencies) |
| What is covered? | Computerized personal information of California residents - a name plus an unencrypted SSN, California ID, driver's license number, or financial account/card number with access code |
| What is required? | Disclose any breach to affected California residents in as expedient a manner as possible |
| Who enforces? | The California attorney general, plus a private right of action |
| Why? | Breaches are feared to cause identity theft; individuals should be notified to protect themselves |
Encrypted or name-only data is exempt
Databases with only names and addresses or only encrypted information are NOT subject to SB 1386. The trigger requires a name combined with an unencrypted qualifying data element.
Good-faith employee exception
There is an exception for good-faith acquisition by an employee or agent, provided the information is not used or further disclosed. Notice may also be delayed if law enforcement requests it.
Key terms - quick answers
What is “California SB 1386”?
The first U.S. security breach notification law, covering entities doing business in California that own or license computerized personal information.
What is “Breach of system security”?
Unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information.