The California Breach Law imposes duties on any company that employs or sells to people in California. It imposes a duty of care not to disclose personally identifiable information to other parties and to take reasonable steps to protect the information from purposes other than those for which it was released. Any person or business that conducts business in California, which owns or licenses computerized data that includes personal information, must disclose any breach of the security to any resident of California whose unencrypted personal information was acquired by an unauthorized person.
Personal information means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
Social security number
Driver's license number or Identification Card number
Credit or debit card number, in combination with any required security code...