The California Senate is considering an update to the California Cyber
Security Bill. the new legislation is known as SB 852

"Existing law requires any agency, or a person or business
conducting business in California, which owns or licenses
computerized data that includes personal information, as defined, to
disclose in specified ways, any breach of the security of the data, as
defined, to any California resident whose unencrypted personal
information was, or is reasonably believed to have been, acquired by
an unauthorized person. Existing law allows that notification to be
delayed if a law enforcement agency determines that the notification
will impede a criminal investigation."

"This bill would require an agency, or a person or business
conducting business in California, that owns, licenses, or collects
computerized data that includes the personal information of a
California resident, to notify the resident of any breach of the
security
of the data, as specified, regardless of whether the data was
computerized when it was acquired."

The last sentence is the critical piece since it expands the coverage
to non-digital information. The legislation does not provide any safe
harbor provisions especially with regards to the disposal of hardcopy
records or to best practices/guidelines or standards that an
organization may implement for the protection of the PII. All records
managers should read the legislation and should make their corporate
counsel aware of the legislation.


Peter A. Kurilecz
Richmond, Va
[log in to unmask]

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance