Two new laws regarding data breach notification and information privacy go into effect with the New Year.
The first, SB 46, expands the definition of “personal information” that triggers a data breach notification. The other, AB 370, requires disclosure of how a commercial website responds to “do not track” browser signals.
Existing law requires businesses to notify any California residents of a breach of their computerized, unencrypted personal information. Personal information is defined as an individual’s first name or first initial, in combination with his or her last name, and one or more of the following data elements:
- social security number;
- driver’s license number or California identification card number;
- account number, credit or debit card number, in combination with any required security code, Access code, or password that would permit access to an individual’s financial account;
- medical information;
- health insurance information.
SB 46 expands that definition to include “a user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.” This might be relevant for dental practices with websites that offer patient portals or patient-only access, where a patient could register for and log in to the site with an email or username and password. Electronic notification of the breach of an online account is permissible, unless an individual’s email account was breached. In that case, notice should not be sent to that email address, rather via another method prescribed by law.
The other privacy-related law, AB 370, requires any operator of a commercial website that collects the personally identifiable information of California residents to disclose how the website responds to “do not track” browser signals.
Revised on 11/8/13