California Assembly Bill No. 1950 and Senate Bill 1386 report

Why it matters

AB 1950 imposes requirements on businesses that maintain personal information, in any form, about one or more California residents. AB 1950 has two basic requirements:

• All businesses that possess personal information about California residents must implement and maintain security procedures to protect that personal information; and
• All businesses that disclose personal information about California residents to a third party must require that the third party maintain security procedures to protect the personal information.

SB 1386 requires any state agency, or person or business that conducts business in California and owns or licenses data about a California resident, to disclose any breach of personal data security to any resident of California whose unencrypted sensitive personal information was or is reasonably believed to have been acquired by an unauthorized person.

Best practices for complying with California Assembly Bill No. 1950 and Senate Bill 1386

1. Identify the kinds of personal information that the business collects and maintains, including paper-based and electronically-stored personal information.
2. Determine the level of risk that the potential loss or unauthorized disclosure of information poses to your business and to the public.
3. Determine if your security measures and procedures are reasonable. In making this determination, weigh the costs of the protection that you currently provide against the damages the business would sustain if the data were to be lost or improperly disclosed.
4. Adjust procedures and practices so that the type and level of protection provided to the personal information is appropriate for degree of risk of loss or improper disclosure of that information.