Major thefts and misappropriations of computerized personal and financial information are causing legislators nationwide to focus on this issue. Amid rising concern over the problem of identity loss, California and other states have enacted laws to give members of the public prompt notification that their personal information may have been misappropriated. Because the 2002 California law is the model that other states have followed in enacting data security breach notification requirements, several points should be noted with respect to that law.

General scope.

The California law applies to any company that does business in the state and that owns or licenses computerized data that includes personal information. "Personal information" is defined as a combination of two categories of information: identifying information (i.e., a person's first name or initial and last name) and any item in a specific list of data elements -- Social Security number, driver's license or California ID card number, or a financial account number in combination with the account password, security code or access code. To constitute personal information, the security breach must involve both identifying information and one of the specified data elements but does not include publicly available information that is lawfully made accessible to the general public from government records.

Encryption.

The notification requirements of the California law don't apply if either the personal identifying information or the data elements are in encrypted form.