What constitutes a breach?

The term breach of the security of the system is defined as "unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information maintained by the person or business."

Who must be notified, and how?

The California law requires reasonably expedient notification to individuals whose unencrypted personal information "was, or is reasonably believed to have been acquired by an unauthorized person." Notice may be on paper or in electronic form. There is a provision for so-called substitute notice if the cost of notifying individual consumers would exceed US$250,000 or if the number of consumers to be notified exceeds 500,000.

Substitute notice consists of all of the following efforts: e-mail notice to those consumers for whom the company has an e-mail address, conspicuous posting on the company's Web site and notification to statewide media. If a security breach takes place while the information is in the hands of a third party -- such as a company to which data processing has been outsourced -- that party must promptly notify the owner of the information of the breach.