What is CA SB 1386 about?

Effective since July 1st 2003, CA Senate Bill 1386 mandates all public or private agencies that conduct business in California to provide notification if there is a security breach to the electronic database containing personal information of any California resident. Section 2 (d) states that breach of the security of the system means “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business”.

The statute defines personal information as first name or first initial and last name in combination of one or more of the following: social security number, driver’s license number or California Identification Card number, accounting number, credit or debit card number, in combination with any required security code/access code/password that would permit access to an individual’s financial account. The purpose of the bill is to protect possible identify theft, and it was expanded in 2008 with Assembly Bill 1298, to include medical records and health insurance information under the umbrella of “personal information” as well. This law applies to all businesses maintaining medical information, even if they are not health care providers under the Confidentiality of Medical Information Act (CIMA).

Why does it matter?

California’s data breach notification law was the first in the nation. Since then, it has inspired similar laws in over 40 other states with the exceptions of Alabama, Kentucky, Mississippi, Missouri, New Mexico and South Dakota. So unless you only do business with residents of these few exceptional states, chances are the data breach notification law matters to you.

This is important because it applies to all public and private sectors who conduct business with California residents even if the business is headquartered at another state other than California. In other words, if your company has any customer or employee residing in the state of California then you are affected. Violation of the law could lead to civil lawsuits, as stated in its Civil Code Sec 1798.84 “any customer injured by a violation of this act may institute a civil action to recover damages”.

See the full text of CA SB 1386 here.

How LeapFILE can Help

Connect with us to learn more about how LeapFILE's secure file transfer & collaboration solutions can resolve data security compliance issues, get updates on data security regulations and join others in discussions for compliance best practices!

Find out how LeapFILE can help you here.