California Cyber Security Law: Data Breach Notification

Businesses gather a lot of information from their customers, including personal identifying information (PII). Because of the sensitivity of this information, many states have adopted standards that businesses must follow to safeguard PII. These standards often include data security breach notification requirements.

In California, these laws are enforced by the California attorney general’s office. This Cyber Security Law Summary provides an overview of California’s data breach notification requirements. Businesses can use this information to understand their responsibilities in protecting PII of California customers.

Cyber security Responsibilities

California law requires businesses and individuals that own, license or maintain PII about Californians to safeguard that information. Businesses must implement reasonable security procedures and practices to protect PII from unauthorized access, destruction, use, modification or disclosure.

Under California law, “owning” and “licensing” includes retaining an individual’s PII in an internal account for the purpose of conducting transactions with the individual in question.

Businesses that disclose PII to a third party must have a contract in place requiring the third party to implement and maintain reasonable security procedures and practices.

The responsibility to safeguard PII begins when the information is first acquired and remains in effect until the information is properly disposed of. This means that businesses must also take reasonable steps to dispose of customer records that are within their custody.

Adequate disposal methods include shredding, erasing and otherwise modifying the records where the information is stored to make them unreadable or undecipherable. Businesses can use any means necessary to dispose of PII properly.

Affected Entities

Breach notification requirements apply to individuals and businesses in California that own, license or maintain PII about Californians. Under these laws, a business is any group that is organized, chartered, or holds a license or authorization certificate under California law or the law of any other state, the federal government or of any other country. This definition of business includes any sole proprietorship, partnership, corporation, association and financial institutions. The term also includes any entity that disposes of records.

Certain businesses are exempt from California’s breach notification law, including:  

• Health care providers, health care service plans or contractors regulated by the Confidentiality of Medical Information Act;
• Financial institutions that are subject to the California Financial Information Privacy Act;
• Businesses governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules;
• Entities that obtain information under an agreement authorized by the vehicle code and that are subject to the confidentiality requirements of the vehicle code; and
• Businesses that are regulated by state or federal laws that provide greater protections to PII than what is required under California’s breach notification laws. This last exemption is possible because compliance with stricter state or federal laws will be considered compliance with California laws.

Affected Information

Under the breach notification law, PII includes an individual’s first name or first initial and last name in combination with one or more of the following:

• A Social Security number;
• A driver’s license number or California identification card number;
• An account, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial information;
• Medical information (meaning any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional);
• Health insurance information (meaning an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records); and
• Information or data collected through the use or operation of an automated license plate recognition system.

PII also includes a username or email address, in combination with a password or security question and answer that would permit access to an online account.

PII does not include publicly available information that is lawfully made available to the general public from federal, state or local government records.

What is a Security Breach?

Under the law, a security system breach is an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of the PII maintained by another person or business.

Determining whether a breach took place under the law depends on whether the affected information was encrypted or unencrypted, as shown in the table below.

Data Breach Notification

California law requires businesses to provide written notice of a breach to the security of their systems if they own or license computerized data that includes PII.

Who must be notified?	Businesses must notify any person whose PII was compromised as a result of a data breach (as defined above). In addition, any business that is required to notify more than 500 California residents as a result of a single breach must submit a single sample copy of that notification to California’s attorney general. Businesses that maintain, but do not own or license, PII must inform the entity that owns or licenses the information of any security breach if the PII was, or is reasonably believed to have been, acquired by an unauthorized person.
Mandatory Notification Content	A valid data breach notification must be written in plain language and must be titled “Notice of Data Breach.” This notification must include the following information (if available at the time the notification is sent): The name and contact information of the reporting person or business subject to these requirements; A list of the types of PII that was or is reasonably believed to have been compromised by the breach; The date of, the estimated date of or date range for the breach; Whether notification was delayed as a result of a law enforcement investigation; A general description of the breach incident; The toll-free numbers and addresses for the major credit reporting agencies (if the breach exposed a Social Security number, driver’s license number or California identification card number); An offer to provide appropriate identity theft prevention and mitigation services for affected individuals for at least 12 months (if the entity providing the notification was the source of the breach); and Instructions on how to take advantage of the 12-month identity prevention and mitigation services offered (as applicable).
Optional Notification Content	The following information may be included in a breach notification at the discretion of the entity sending the notice: Information about what has been done to protect individuals whose information has been breached; and Advice on steps affected individuals may take to protect themselves.
When to Send the Notification	Data breach notifications must be made as soon as possible, without unreasonable delay. Timely notifications must take into account legitimate needs to cooperate with law enforcement, determine the scope of the breach and restore a reasonable integrity of the data system. For example, the notification requirement may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.
How to Send the Notification	Under California law, breach notification can be sent in print, electronically or through a substitute notice, as defined below. The use of electronic notices is acceptable, as long as all timing, content and formatting requirements are met. Electronic notifications must also follow federal laws regarding electronic records and signatures in commerce. A valid substitute notice must include: An email notice (when the business has an email address for the affected individuals); Conspicuous posting, for a minimum of 30 days, of the notice on the internet website page of the business, if the business maintains one. Conspicuous posting means providing a link to the notice on the home page or first significant page after entering the business’ website. The link must stand out from the surrounding text by using larger type, contrasting type, font or color to the surrounding text. The text may also stand out by using symbols or other marks that call attention to the link; and Notification to major statewide media. Substitute notice may also be provided if the business demonstrates that the cost of providing notice would exceed $250,000, the affected class of subject persons to be notified exceeds 500,000 or the business does not have sufficient contact information.

Required Format

The notice must be designed to call attention to the nature and the significance of the message. This includes making sure that the title and headings are clearly and conspicuously displayed and using a font type that is 10 point or larger.

In addition, the data breach notice must organize the information according to the following headers:

• What happened
• What information was involved
• What we are doing
• What you can do
• For more information

Safe Harbor

A business that maintains its own notification procedures as part of an information security policy for the treatment of PII is in compliance with the notification requirements mentioned above if it:

• Notifies individuals in accordance with its policies in the event of a breach; and
• The notification takes place within the time constraints mentioned above.

Enforcement

Businesses cannot waive any of the responsibilities imposed on them by California’s breach notification laws. Any business that fails to comply with these requirements may be required to pay damages and penalties to injured customers by a civil court. Any business that violates, proposes to violate or has violated notification requirements may be subject to these sanctions.

The amount of damages depends on the extent of the harm or injury caused to the customer. The penalty is typically $500 per violation, but a court may order the penalty to be as much as $3,000 per penalty for willful, intentional or reckless violations.

A “customer,” for these purposes, is any individual who provides personal information to a business for the purpose of purchasing or leasing a product or obtaining a service from the business.

Unless the violation is willful, intentional or reckless, a business that fails to provide adequate, complete and accurate notification to affected individuals can raise a complete defense against court penalties if it strives to remedy inadequate, incomplete or inaccurate notifications within 90 days of discovering an issue.