HI SB1186

Expands the definition of "personal information" to include medical information, health insurance information, and online usernames/email addresses combined with passwords that provide account access.

Requires businesses and government agencies that don't own personal information but maintain it to notify the owner or licensee of security breaches no later than ten days following discovery, changing from the previous "immediately" requirement.

Requires notification to affected individuals to occur without unreasonable delay following discovery or notification of a breach, consistent with law enforcement needs.

Adds new required contents for breach notification notices, including the date or approximate date of the breach, whether law enforcement delayed notification, and credit reporting agency contact information if a civil identification card number or social security number was exposed.

Becomes effective July 1, 2015.