California

Protects against unauthorized access of computerized data compromising the security, integrity, or confidentiality of personal information.

Requires notification if it is determined that personal information has been or will be misused. Notification may be delayed if it will impede law enforcement investigation. Allows substitute notice if the breach affects more than 500,000 people, or would cost more than two hundred fifty thousand dollars ($250,000).

When not encrypted, a person's first name or initial and last name combined with:

1. Social Security number;
2. Driver's license or state ID number; account number, credit or debit card number, combined with any info that allows access to account; or
3. Medical information and health insurance information.

An agency is required to notify individuals following the discovery of the breach of security of the data on any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Good faith acquisition of personal information by an employee or agent of the agency for the purposes of the agency is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure.

Substitute notice is allowed if the agency demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000), or that the affected class of subject persons to be notified exceeds 500,000, or the agency does not have sufficient contact information.

The law covers ‘Unencrypted Personal Information.’ Personal information means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

1. Social Security number.
2. Driver's license number or California Identification Card number.
3. Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
4. Medical information.
5. Health insurance information.

The law covers "Personal Information" which means any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to,

1. His or her name;
2. Signature;
3. Social Security number;
4. Physical characteristics or description;
5. Address;
6. Telephone number;
7. Passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.

Substitute notice, is allowed if the person or business demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000), or that the affected class of subject persons to be notified exceeds 500,000, or the person or business does not have sufficient contact information.

The law also establishes requirements for the use of personal information in connection with direct marketing.