This was an early example of many future U.S. and international security breach notification laws, it was introduced by California State Senator Steve Peace on February 12, 2002, and became operative July 1, 2003.
This requires an agency, person or business that conducts business in California and owns or licenses computerized 'personal information,' to disclose any breach of security (to any resident whose unencrypted data is believed to have been disclosed).
[2] The bill mandates various mechanisms and procedures with respect to many aspects of this scenario, subject also to other defined provisions.
An out-of-state corporation that has personal information relating to a California resident would fall under this statute.
A corporation can also avoid reporting if its data does not contain "personal information" relating to a California resident.