In 2012, new statutes in California and Texas will require that providers make state-specific changes to their existing privacy compliance procedures. The changes made in California are detailed below. Texas’s new law is addressed in "Texas (and California) Increase Privacy Requirements."

California’s Senate Bill 24 (SB 24), which took effect on January 1, 2012, makes substantial modifications to sections 1798.29 and 1798.82 of the Civil Code, two of the state’s several data breach notification laws. Section 1798.82 applies to any person or business that conducts business in California, and in effect appears to serve as the state’s “floor” provision, applying certain data breach reporting responsibilities to essentially every entity doing business in the state. In addition, under existing California law, certain licensed health care providers are subject to separate, additional breach notification law – Health & Safety Code § 1280.15, for example, which imposes additional specific obligations (including a five-day disclosure deadline) on the specifically identified entity types. SB 24 makes no changes to these existing requirements....