SB1386 Passes; California Comes Clean

Like an earthquake threatening a seismic shift, California is a state on the move. It’s only been a few months since a hacker obtained the personal information of more than 200,000 state employees, but California’s legislature quickly retaliated, passing Senate Bill 1386, which expands protections for personal data stored online.

The bill, which was signed into law by Gov. Gray Davis in September, modifies the state’s civil code. It requires government agencies and private companies that store confidential information on individuals to disclose any breaches of that confidentiality to the individuals affected.

Personal information is defined as a person’s first and last name obtained in any combination with other pieces of information such as a Social Security number, credit card number or driver’s license number, according to the language of the bill.

Notification of unauthorized access can come in a variety of forms, according to the bill. They include written notice, electronic notification that adheres to federal guidelines for electronic records and signatures, or e-mail notices and public website postings in cases where mass notifications are required.

Although the law contains exemptions for situations in which notification would compromise the integrity of ongoing criminal investigations, the California law still exceeds federal online privacy protections, according to a statement published by the Electronic Privacy Information Center (EPIC), a public interest research group based in Washington, D.C.

Federal laws do not mandate notification when personal information is accessed without authorization, EPIC says.

The new law comes amidst rising concern about the problem of identity theft. The bill’s authors note that more than 1,900 cases of identity theft were reported in Los Angeles County alone in 2000, an increase of more than 100 percent from the previous year.

The changes to the California Civil Code enacted by Senate Bill 1386 take effect on July 1, 2003.