WHEN THE state of California passed its now widely copied data disclosure law in 2003, it was the first state in the US to offer such protections for citizens and it set an international standard as well. More than 40 US states have since introduced similar laws.

The California law requires any state agency or company, handling the financial records of a California resident that were in any way breached and disclosed, to inform the resident directly.

"Any person or business that conducts business in California, and that owns or licenses computerised data that includes personal information, [must] disclose any breach of the security system … to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorised person."

This was a requirement, not just for California-based companies but for any company doing business with a Californian, including situations where records are held outside of California, and applies to foreign companies as well.

The law has led to the revelation of thousands of data leaks that would otherwise not have needed to be reported to anyone, including several high- profile national incidents in which millions of records were breached by hackers. In those instances, only Californians were told of the violation.

In January, an additional bill was passed in California to give similar disclosure protection on medical and insurance records.

The new law covers the loss of data on medical histories, diagnoses and treatment for mental or physical conditions, insurance policies, insurance applications and claim histories.

The US legislature is attempting to bring in a national disclosure bill and British legislators are also arguing for a similar law.

KARLIN LILLINGTON