California Data Breach Notification Law featured image

California Data Breach Notification Law

by John DiGiacomo

Partner

Data Breach

California law takes the privacy of its residents seriously. Privacy is an inalienable right guaranteed to California residents by the California Constitution. It was the first state to enact laws protecting the rights of Californians to be notified of data security breaches.

When it comes to data breaches in California, state agencies and businesses have a duty to protect customer information. California residents who are a victim of the data breach have a right to be notified if their unencrypted data was exposed.

Under California Civil Code s. 1798.29(a) and California Civ. Code s. 1798.82(a), state agencies and businesses have an obligation to notify California residents who have been the victim of an encrypted data security breach.

Who is Protected Under the California Data Breach Notification Law?

California’s data breach notification laws protect all Californians. Employees, consumers and residents of the Golden State are protected under these laws. Since California businesses and state agencies are required to notify all California residents of a data security breach, many non-residents are incidentally also notified of the data security breach as a byproduct of these laws.

What is Personal Information?

For the purposes of the California data breach notification law, “personal information” includes a person’s first name or first initial and the person’s last name, in conjunction with any of the following additional data elements:

  • The person’s social security number.
  • A driver’s license or California identification card number.
  • The person’s medical information or health insurance information.
  • A person’s account, credit card number, or debit card number, In combination with that account security code, password or access code, such that unauthorized access to these accounts could be achieved.
  • Information collected through an automated license recognition system.

If the data that was breached was encrypted data, Californians do not need to be notified. Encrypted meaning the data was rendered unusable, undecipherable, or unreadable to the unauthorized person who accessed the data.

Who Must Comply With the Data Breach Notification Laws?

People and companies that conduct business in California, along with California government agencies, are required to comply with the California data breach notification law.

This means that even companies who have their business headquarters in a state other than California are required to provide California residents with notification of a security data breach if they conduct any business in the state of California.

In essence, any business that has access to a California resident will be required to comply with the notification laws. On the other hand, businesses that do not have operations and do no business in the state of California are not required to comply with California’s data breach notification laws.

Requirements for Notification Compliance

State agencies and businesses in California that have had a data breach must satisfy certain notification requirements in order to be in compliance with the law. The notice must be in plain language. The font of the notice must be no smaller than 10-point size, and use clear and inconspicuous headings, such as “Notice of Data Breach”.

The notice must convey the following information:

  • Who is issuing the notification.
  • What happened, including the date range affected by the breach.
  • Identification of what information was involved in the data breach.
  • Whether there was a delay in providing the notification due to an investigation by law enforcement.
  • What the agency or business is doing to resolve the problem.
  • What victims can do to protect themselves.
  • Where to find more information about the data breach. 

Are There Sanctions and Remedies Available to Victims?

If California residents are notified of their involvement in a data security breach in a timely fashion, the victim could be entitled to damages through a private action or claim for liquidated damages.

Talk to a Data Breach Lawyer

Revision Legal understands the dynamic nature of cyber security. Revision Legal has worked with businesses of all sizes to assess data retention risks. When necessary, we provide counsel on the California data breach law. If you have concerns about your company’s exposure or have received a notification that you have been a victim of a data breach incident, contact the experienced data breach attorneys at Revision Legal.

Civil fines are available in some states for a failure to expeditiously notify those affected by breaches. Contact our internet lawyers using the form on this page or call us at 855-473-8474.

Photo credit to Flickr user Anh Dinh.

This post was originally published in November, 2015. It has been updated for clarity and comprehensiveness.

Extra, Extra!
Recent Posts

Esports Intellectual Property Lawyers: Gaming Law

Esports Intellectual Property Lawyers: Gaming Law

Internet Law

Like any business, esports businesses must protect their various forms of intellectual property (“IP”). IP can be valuable. Indeed, with some esports businesses, the largest component of their business valuation is their IP, including trademarks, copyrights, patent rights, domain name registrations, and trade secrets. IP can also include various assignments, licenses, and other permission-granting contractual […]

Read more about Esports Intellectual Property Lawyers: Gaming Law

E-Commerce Acquisition Lawyers

E-Commerce Acquisition Lawyers

Internet Law

Revision Legal is a law firm focusing on e-commerce and internet law with deep experience in providing legal services with respect to mergers and acquisitions of e-commerce businesses. E-commerce is, of course, businesses that make money online. But that “online” aspect presents unique legal and practical challenges for e-commerce acquisitions. Any business acquisition requires a […]

Read more about E-Commerce Acquisition Lawyers

Quality Control Requirements for Trademark Licensing

Quality Control Requirements for Trademark Licensing

Trademark

Trademark licensing can create valuable revenue streams for your business. Licensing has the advantage that your business retains possession of the trademark and can create more than one licensing regime over the life of your business. Licensing is also a method of expanding the reach (and value) of your trademark without the need to invest […]

Read more about Quality Control Requirements for Trademark Licensing

Put Revision Legal on your side