All U.S states have laws about data security and what to do when there’s a data breach. California’s was the landmark law, first taking effect in 2003. Here is what California requires.
Who The Laws Apply To. The laws apply to any person or business that conducts business in California and that owns or licenses computerized data that includes personal information. They also apply to anyone who maintains computerized data for someone else.
California defines personal information as either of the following:
- An individual’s first name or first initial and last name in combination with any of the following if unencrypted:
- Social security number; or
- Driver’s license number or California identification card number; or
- Account number, credit or debit card number, in combination with any security code, access code or password that would permit access to the financial account; or
- Medical information; or
- Health insurance information;
- Information or data collected through the use or operation of an automated license plate recognition system; OR
- A user name or email address, in combination with a password or security question and answer that would permit access to an online account.
What The Laws Require. The trigger is when the data owner or maintainer becomes aware of a breach of the security of its system of computerized data. If there has been a breach, notification is required.
What is a Breach. The term “breach” under this law means unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information maintained by the person or business. The breach can be of unencrypted personal information. It can also be of encrypted personal information, if the encryption key or security credential was acquired by the unauthorized person.
When and How to Notify. If a breach has occurred or is reasonably believed to have occurred, the data owner or maintainer must notify the individual “immediately following discovery.”
California has very specific requirements on breach notification. All of the following must be met:
- The notification shall be written in plain language, with text in at least 10 point type;
- The notification must be titled “Notice of Data Breach,” and shall present the information under the following headings: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information”;
- The notification must include, at a minimum, the following:
- The name and contact information of the reporting person or business;
- A list of the types of personal information that were or are reasonably believed to have been the subject of a breach;
- If the information is possible to determine at the time of the notice, then any of the following: (i) date of the breach, (ii) estimated date of the breach, or (iii) date range within which the breach occurred;
- Whether notification was delayed as a result of law enforcement investigation;
- Description of the breach incident;
- Toll-free phone numbers and addresses of the major credit reporting agencies, if the breach exposed a social security number, driver’s license or California identification card number;
- If the person or business making the notification was the source of the breach, then it must offer to provide identity theft prevention services at no cost for at least 12 months.
Use of California’s model security breach notification form deems the reporting business to be in compliance with the notification requirement.
Notification may also include information such as advice on steps a person may take to protect herself, and a direction to change online information such as a password. Written notice is permitted. Electronic notice is permitted if it complies with the federal Electronic Signatures in Commerce law.
Substitute notice may be permitted if more than 500,000 people need to be notified, or if the notice would exceed more than $250,000, or if the notifier does not have sufficient contact information. Substitute notice includes all of the following: (a) email; (b) conspicuous posting of notice on company’s website for at least 30 days; and (c) notification of major statewide media.
A copy of the sample notification notice must be sent to the California Attorney General. There is a link here to submit this sample electronically.
What if You Comply with Your Own Information Security Policy. A person or business may maintain its own notification procedures. If it does so, it’s considered to be in compliance in certain circumstances. A person or business that maintains its own notification procedures as part of an information security policy for treatment of personal information, follows those policies and notifies those involved, and is otherwise consistent with the timing requirements above is deemed to be in compliance.
What if Law Enforcement is Involved. Notification may be delayed if a law enforcement agency advises that notification will impede a criminal investigation. Notification “shall be made promptly” after law enforcement determines that it will not compromise the investigation. Close cooperation to protect the interests of the business is well advised.
What are the Penalties. Any customer injured by a violation of the general breach notification statute may file a civil action to recover damages. A customer that wins his case can also recover reasonable attorney’s fees and costs. Any business that violates, proposes to violate, or has violated these laws may be enjoined.
The primary law is found at California Civil Code § 1798.82 and 1798.84, and a similar law for agencies is at § 1798.29. In the event of a breach, a business should act immediately to secure its system, get the word out, and protect itself and its customers. It also may be appropriate to have a data breach response plan in place to prepare, and to test such a plan before a breach arises.