CA SB1166

Requires agencies, persons, and businesses that own or license computerized data containing personal information to notify California residents of security breaches in the most expedient time possible and without unreasonable delay.

Mandates that security breach notifications be written in plain language and include the reporting entity's contact information, types of personal information breached, breach date or date range, description of the incident, and credit reporting agency contact information if social security or driver's license numbers were exposed.

Requires entities issuing breach notifications to more than 500 California residents to electronically submit a sample copy of the notification to the Attorney General.

Exempts covered entities under the federal Health Insurance Portability and Accountability Act (HIPAA) from these notification requirements if they comply with federal Health Information Technology and Clinical Health Act requirements.

Permits notification through written notice, electronic notice, or substitute notice (email, website posting, and media notification) if the cost of direct notification exceeds $250,000 or would affect more than 500,000 individuals.