SB 1386, also known as the Security Breach Law, is a California law that regulates customer notification of security breaches that pose a risk to the security of private information. The 2003 law is a landmark piece of legislation that amended earlier laws in an attempt to fight increasing levels of computerized identity theft. SB 1386 makes any company that requests or maintains private information, such as account numbers or driver's license numbers, legally required to notify California residents of any security breach that poses a reasonable risk to personal data.
The goal of SB 1386 is partly to ensure that companies take adequate precautions in guarding private data. Just as a person wouldn't put valuables in a safe from a company known for poor locks, neither should a person put important personal data in the hands of a business that does not take fair measures to ensure that it cannot be stolen and used for identity theft person. Critics suggest that the law unfairly requires victims, meaning the businesses, of a crime like hacking publicly announce their victimization. Proponents, on the other hand, suggest that the true victims are those whose data has been compromised, and that the law prevents companies from preserving their reputation by concealing security breaches at a risk to the safety of employees or customers.
Though identity theft has long been a criminal element, the anonymity of the Internet has given thieves a far greater opportunity to make use of stolen personal data. The law was created in response to law enforcement studies that noticed a marked rise in the levels of identity theft since use of computerized, Internet-accessible databases became popular. By making companies responsible for the safety of employee or customer data, SB 1386 took a large step toward changing the concept of the value of personal data.
SB 1386 specifically requires that three types of companies speedily inform customers of a breach: those that have any employees or customers in California, outsourced companies that work with employees or customers in California, or those that gather and hold any computerized information on California residents. The law covers the behavior of all organizations, including private businesses, schools, and public offices.
A breach requires reporting if there is a reasonable belief that information may have been compromised. Information that qualifies for report includes the first and last name or first initial and last name of any customer or employee in combination with personal data such as a driver's license, Social Security card, bank account number, credit or debit card information, or security passwords. If a breach is suspected, any person with database entry must be promptly notified by email, phone call, letter, or prominent post on company website. Failure to comply with SB 1386 can result in a civil lawsuit.