Timing of Consumer Notification
Most expedient time possible and without unreasonable delay.
Method of Notice
Mail. Email permitted if complies with E-SIGN.
Breach Definition
Unauthorized acquisition of unencrypted computerized data that compromises security, confidentiality or integrity of personal information; or of encrypted personal information, if encryption key or security credential was acquired by unauthorized person.
PII Definition

A. Individual’s first name or first initial and last name in combination with any of these if unencrypted:

  1. Social security number; or
  2. Driver’s license number or California identification card number; or
  3. Account number, credit or debit card number, in combination with security code, access code or password that would permit access to financial account; or
  4. Medical information; or
  5. Health insurance information;
  6. Information or data collected through use or operation of automated license plate recognition system; OR

B. User name or email address, in combination with password or security question and answer that would permit access to online account.

Third Party Notice
If you maintain covered information for someone else, you must notify them immediately after discovery of breach.
How to Notify

All of the following must be included:

  • Use plain language, in at least 10 point type;
  • Must title as “Notice of Data Breach,” and have headings: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information”;
  • Must include:
    1. Name and contact information of reporting person or business;
    2. Types of personal information that were subject of breach;
    3. If possible to determine, date or estimated date of breach or its time range;
    4. Whether notification delayed as result of law enforcement investigation;
    5. Description of breach incident;
    6. Toll-free phone numbers and addresses of major credit reporting agencies, if breach exposed social security numbers, driver’s license or California identification card numbers;
    7. If person or business making notification was source of breach, it must offer to provide free identity theft prevention services for at least 12 months.
Substitute Notice
All: (a) email; (b) conspicuous posting of notice on company’s website for at least 30 days; and (c) notification of major statewide media.
Credit Monitoring
If you were source of breach, you must offer free identity theft prevention services for at least 12 months.
When to Notify Credit Agencies
No requirement.
This State's Law
If you are required to notify California Attorney General, must do so electronically through its website.
State Government Agency Notification Required
If more than 500 California residents must be notified.