California Disclosure of Security Breach
Cal. Civ. Code § 1798.29, 1798.80, et seq.
EFFECTIVE. July 1, 2003
WHO DOES THIS LAW APPLY TO. (1) Any person, business or state agency that conducts business in California and owns or licenses computerized data that includes Personal Information; and (2) any person or business that maintains computerized data that it does not own which includes California resident’s Personal Information, whether or not they conduct business in California.
WHAT IS A BREACH. Unauthorized acquisition of computerized data maintained by an entity that compromises the security, confidentiality or integrity of Personal Information of a California resident.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the data element or name is not encrypted:
-
Social Security number.
-
Driver’s license number or California Identification Card number.
-
Account number, credit or debit card number in combination with any required security code, access code, or password that would permit access to a financial account.
-
Medical information to include history, condition, diagnosis or treatment.
-
Health insurance information to include policy number, subscriber I.D. or any unique identifier, claims history, or appeal records).
-
User name or Email address, in combination with a password or security question and answer that would permit access to an online account.
Personal Information does not include publicly available information from Federal, State or local government records.
WHO TO NOTIFY OF THE BREACH. An entity shall disclose any breach following discovery or notification of the breach to any California resident whose unencrypted Personal Information was or reasonable believed to have been acquired by an unauthorized person. If more than 500 California residents are involved in the security breach, a single sample of the notification, excluding any Personal Information, shall be electronically submitted to the Attorney General.
EXCEPTION. This Section does not apply to the following:
-
Good faith acquisition of personal information by an employee or agent of the entity for the purposes of the entity is not a breach, provided that the personal information is not used or subject to further unauthorized disclosure.
-
Own Notification Policy exception. An entity which maintains its own notice procedures as part of a Personal Information security policy, and is otherwise consistent with timing requirements of this section, shall be deemed in compliance with this section, if affected individuals are notified by the entity in accordance with its policies.
-
HIPAA Covered Entities exception. Entities covered under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) will be deemed in compliance if it has fully complied with Section 13402(f) of the Health Information Technology for Economic and Clinical Health Act (“HITECH”).
WHEN TO NOTIFY OF THE BREACH. Notification must be sent in the most expedient time possible, without unreasonable delay, and consistent with any measures necessary to determine the scope of the breach and restore integrity to the system. Notification may be delayed if it will impede a criminal investigation, as determined by law enforcement. In that instance, notification will be made promptly following clearance by law enforcement.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written.
-
Electronic note, if notice is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (“E-SIGN Act”).
-
Substitute notice as provided below.
For breaches of an email account furnished by the entity, notice may not be provided to the email address involved in the breach, but may be provided by one of the following methods:
-
Written.
-
Electronic note, if notice is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (“E-SIGN Act”).
-
Clear and conspicuous notice delivered online when the individual is connected to the online account from an IP address or online location from which the entity knows the individual customarily accesses the account.
-
Substitute notice as provided below.
For breaches of only a user name or email address, in combination with a password or security question and answer, that would permit access to an online account, the notice may be provided in electronic or other form and should direct California individuals to:
-
Change their password, security question and answer, promptly.
-
Take other appropriate steps to protect their online account with the entity and other online accounts with the same user name, email address, password or question and answer, involved in the breach.
Notification to affected individuals shall be written in plain language and include the following description:
-
Date of the notice.
-
Name and contact information of reporting person or entity.
-
List of the types of Personal Information believed to be breached.
-
Date, estimated date or date range of the breach, if possible to determine.
-
If notification was delayed due to law enforcement investigation.
-
General description of the breach incident, if possible to determine at the time of the notice.
-
Toll free telephone numbers and addresses of major credit reporting agencies if social security number, driver’s license or California identification card number were part of Personal Information breach.
-
If the breach exposed social security numbers, driver’s license numbers or California identification card numbers, and the entity providing the notice was the source of the breach, entity must offer to provide identity theft prevention and mitigation services, if any, at no cost for not less than 12 months, along with the information necessary for individuals to take advantage of the offer.
Entity may also include the following, at their discretion:
-
Information regarding what has been done to protect the affected individuals.
-
Advice on steps the affected individuals may take to protect themselves.
SUBSTITUTE NOTICE. If entity can demonstrate that the cost of providing notice will exceed $250,000, or that the affected class of individuals to be notified exceeds 500,000, or the entity does not have sufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Email notice, when entity has an email address for the affected individual.
-
Conspicuous posting of the notice on the entity’s website, if one is maintained.
-
Notification to major statewide media and the California Office of Privacy Protection.
NOTICE TO THIRD PARTIES. If an entity maintains unencrypted data that includes Personal Information that entity does not own, then notification shall go to the owner or licensee of any such data immediately upon discovery of the security breach.
CONSEQUENCES FOR FAILING TO NOTIFY. Any business that violates, proposes to violate, or has violated this title may be enjoined. Any customer injured by a violation of this title may institute a civil action to recover damages of up to $500 per violation. For a willful, intentional or reckless violation, a customer may recover a civil penalty of up to $3,000 per violation.
PRIVATE RIGHT OF ACTION.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS.
LEGISLATIVE UPDATES.
S.B. 1386 – Signed into law on 9/25/2002, Effective 7/1/2003.
S.B. 24 – Signed into law on 8/31/2011, Effective 1/1/2012.
S.B. 46 – Signed into law on 9/27/2013, Effective 1/1/2014.
AB-1710 – Signed into law on 9/30/14, Effective 1/1/2015.
A.B. 964, S.B. 570, S.B. 34 – signed into law 10/6/2015. Effective 1/1/2016.
A.B. 1130 - signed into law on 10/11/2019, Effective 1/1/2020.
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.