Existing law requires an individual or a business that owns or licenses computerized data including personal information to disclose a breach of the security of the system to any California resident whose unencrypted personal information was compromised. SB 446 requires that this disclosure be made within 30 calendar days of discovery or notification of the data breach; however, SB 446 allows delay of disclosure to accommodate the legitimate needs of law enforcement or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
Existing law also requires that, if an individual or business must issue a disclosure to more than 500 California residents as a result of a single breach, it must submit a sample disclosure to the Attorney General (AG). SB 446 requires that this submission to the AG be made within fifteen (15) calendar days of notifying affected consumers.
(SB 446 amends Section 1798.82 of the Civil Code.)