Date: July 1, 2003

Attention: ASCIP Members and Service Providers

Subject: SB 1386 Personal Information: Privacy Law now in Effect

Download a printer-friendly version.

Identity theft and the security of personal information have become increasingly difficult to control. Those businesses who are custodians of computerized personal information about their employees or their clients have attempted to safeguard such information in various ways which, in some cases, have proved inadequate. No California law has previously existed which required the disclosure of a breach of security and/or unauthorized access to unencrypted data files involving such personal information.

SB1386 was enacted on September 26, 2002, and became effective today, July 1, 2003. This Bill makes changes in the California Civil Code by adding sections 1798.29 and 1798.82 which now require a business or other holder of unencrypted computerized personal data, for which the security of such data has been breached or data has been acquired by an unauthorized person, to take specific steps to notify each of those persons within that violated database in a timely manner.

The Bill enumerates a number of ways such notifications may be made and provides for civil remedies when individuals suffer damages for non-compliance with this legislation. Media reports indicate that a similar Federal law is being developed which may impose specific financial penalties for non-compliance.

All ASCIP members and service providers are encouraged to become familiar with these requirements and take steps to address such concerns as soon as possible.

Reviewed July, 2006