toggle accessibility mode
california data breach notification law

California Data Breach Notification Law

By John DiGiacomo

California law takes the privacy of its residents seriously. Privacy is an inalienable right guaranteed to California residents by the California Constitution. It was the first state to enact laws protecting the rights of Californians to be notified of data security breaches.

When it comes to data breaches in California, state agencies and businesses have a duty to protect customer information. California residents who are a victim of the data breach have a right to be notified if their unencrypted data was exposed.

Under California Civil Code s. 1798.29(a) and California Civ. Code s. 1798.82(a), state agencies and businesses have an obligation to notify California residents who have been the victim of an encrypted data security breach.

Who is Protected Under the California Data Breach Notification Law?

California’s data breach notification laws protect all Californians. Employees, consumers and residents of the Golden State are protected under these laws. Since California businesses and state agencies are required to notify all California residents of a data security breach, many non-residents are incidentally also notified of the data security breach as a byproduct of these laws.

What is Personal Information?

For the purposes of the California data breach notification law, “personal information” includes a person’s first name or first initial and the person’s last name, in conjunction with any of the following additional data elements:

  • The person’s social security number.
  • A driver’s license or California identification card number.
  • The person’s medical information or health insurance information.
  • A person’s account, credit card number, or debit card number, In combination with that account security code, password or access code, such that unauthorized access to these accounts could be achieved.
  • Information collected through an automated license recognition system.

If the data that was breached was encrypted data, Californians do not need to be notified. Encrypted meaning the data was rendered unusable, undecipherable, or unreadable to the unauthorized person who accessed the data.

Who Must Comply With the Data Breach Notification Laws?

People and companies that conduct business in California, along with California government agencies, are required to comply with the California data breach notification law.

This means that even companies who have their business headquarters in a state other than California are required to provide California residents with notification of a security data breach if they conduct any business in the state of California.

In essence, any business that has access to a California resident will be required to comply with the notification laws. On the other hand, businesses that do not have operations and do no business in the state of California are not required to comply with California’s data breach notification laws.

Requirements for Notification Compliance

State agencies and businesses in California that have had a data breach must satisfy certain notification requirements in order to be in compliance with the law. The notice must be in plain language. The font of the notice must be no smaller than 10-point size, and use clear and inconspicuous headings, such as “Notice of Data Breach”.

The notice must convey the following information:

  • Who is issuing the notification.
  • What happened, including the date range affected by the breach.
  • Identification of what information was involved in the data breach.
  • Whether there was a delay in providing the notification due to an investigation by law enforcement.
  • What the agency or business is doing to resolve the problem.
  • What victims can do to protect themselves.
  • Where to find more information about the data breach. 

Are There Sanctions and Remedies Available to Victims?

If California residents are notified of their involvement in a data security breach in a timely fashion, the victim could be entitled to damages through a private action or claim for liquidated damages.

Talk to a Data Breach Lawyer

Revision Legal understands the dynamic nature of cyber security. Revision Legal has worked with businesses of all sizes to assess data retention risks. When necessary, we provide counsel on the California data breach law. If you have concerns about your company’s exposure or have received a notification that you have been a victim of a data breach incident, contact the experienced data breach attorneys at Revision Legal.

Civil fines are available in some states for a failure to expeditiously notify those affected by breaches. Contact our internet lawyers using the form on this page or call us at 855-473-8474.

Photo credit to Flickr user Anh Dinh.

This post was originally published in November, 2015. It has been updated for clarity and comprehensiveness.

Put Revision Legal on your side