A new amendment to California’s breach notification statutes extend notification requirements to the breach of California residents’ online account credentials, with distinctive obligations regarding method and content of such notices.  Other states may soon follow suit, as they did after California enacted the first US breach notification statute in 2003 – within a few years, 45 other states adopted breach notice requirements modeled in varying degrees on California’s.

Effective January 1, 2014, SB 46 expands the definition of “personal information” in California’s breach notification statutes applicable to businesses (Cal. Civ. Code § 1798.82) and government agencies (Cal. Civ. Code § 1798.29) to include “user name or email address, in combination with a password or security question and answer that would permit access to an online account.”  Currently, California’s breach notification statutes only apply to breach of an individual’s name in combination with his or her Social Security number, driver’s license number or state issued identification card number, financial account number, medical information or health insurance information.

Where no personal information other than online account credentials is breached, the breached entity may comply with the individual notification requirements by providing the security breach notification in electronic or other form that directs the person whose personal information has been breached promptly to change his or her password and security question or answer, as applicable, or to take other steps appropriate to protect the online account relating to the credentials, as well as any other online accounts for which the affected individual uses the same credentials or security question and answer.  Further, under the amended statutes, where breached account credentials relate to an email account furnished by the breached entity, notification of the breach must not be sent to that email account, but rather via another permissible method of notice.