Update on California’s Data Breach Notification Law featured image

Update on California’s Data Breach Notification Law

by John DiGiacomo

Partner

Internet Law

Most States and the federal government mandate that personal and confidential consumer data must be securely protected by the companies that collect or use such data. However, despite that requirement, there are thousands of data breaches that occur every year in nearly every industry. Thus, in addition to mandating cybersecurity, many States have enacted breach notification laws. In very broad terms, the breach notification statutes cover the following issues:

  • Who must be notified? — such as: law enforcement, regulators and consumers whose private information may have been accessed
  • What events will trigger a duty to notify? — an attempt to exfiltrate data will not generally trigger an obligation to notify
  • What is the timing of the notice?
  • Are automatic remedies required — such as purchasing monthly credit reports for affected consumers?

In this article, we will briefly summarize California’s data breach notification laws which were first enacted in 2002.

Security and/or Data Breach

Under current California laws and regulations, the definition of a security and/or data breach depends partly on whether the data is encrypted. If the data is encrypted, then notice obligations are only triggered if there is reason to believe that the data itself was compromised. This means that the encryption key must also have been stolen or that facts suggest that the encryption can be broken. If the data was unencrypted, then, generally, a breach notification must be sent.

When Must the Notice be Sent?

There is no exact deadline under California laws. The general rule is that breach notifications must be sent “in the most expedient time possible and without unreasonable delay.” Typically, this standard allows for internal investigations and for contact with and response from law enforcement. Breach notification timing may also be impacted by the need to restore the integrity of the data system.

To Whom Must Notifications be Sent? 

In general, notifications must be sent as follows:

  • To consumers whose data was accessed/stolen
  • The California Attorney General (if data was compromised for more than 500 California residents)
  • The owners of the data if the target of the hack/unauthorized access was not the owner or licensee of the data

Note that there is no requirement that law enforcement officials be notified. However, data breaches are criminal in nature and law enforcement officials are usually contacted for purposes of reporting and investigating the criminal behavior.

What Must the Breach Notification Say?

California’s data breach notification law is aimed at protecting consumers. Thus, California statutes require that a breach notification be written in easily understood words and must be titled “Notice of Data Breach.” In addition, a lot of specific information must be provided which can be summarized as follows:

  • Company and contact information suffering the data breach
  • A full list of the data compromised or thought to be compromised
  • Date or dates of the data breaches
  • Description of what happened — how the data breach occurred
  • Whether law enforcement officials were contacted and whether that investigation delayed notification
  • Information about checking major credit reporting agencies
  • An offer to provide identity theft prevention services

Contact Revision Legal For more information or if you have legal questions about data security, how to respond to data breaches or about hacking and cybercrime, contact the data breach and data security lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474. We are lawyers specializing in internet law.

Extra, Extra!
Recent Posts

Does the AI-Copyright Legal Fight Represent a National Security Threat?

Does the AI-Copyright Legal Fight Represent a National Security Threat?

Copyright

The holders of copyrights for newspapers, magazines, books, and other publications are involved in numerous legal battles with owners of AI modules over alleged copyright infringement. The plaintiff copyright owners claim that the AI large language modules have been trained on huge quantities of copyrighted materials without permission and — most importantly — without payment. […]

Read more about Does the AI-Copyright Legal Fight Represent a National Security Threat?

How Does Buy-Sell Insurance Work For An Owners’ Agreement?

How Does Buy-Sell Insurance Work For An Owners’ Agreement?

Corporate

The owners of most small, closely-held businesses negotiate and sign some form of an “Owner’s Agreement.” An important part of such Agreements is the “Buy-Sell” provisions. These are often some of the most difficult to negotiate. The gist of the buy-sell part of the Owners’ Agreement is to establish the rules for what happens if […]

Read more about How Does Buy-Sell Insurance Work For An Owners’ Agreement?

Status on Social Media Moderation Statutes and Cases

Status on Social Media Moderation Statutes and Cases

Internet Law

Social media content moderation by technology platforms was one of the “hot” legal topics in 2023-2024. Three States — California, Texas, and Florida — passed different statutes to either require more content moderation (California) or to limit such moderation (Texas and Florida). All the statutes, in one way or another, demanded more transparency and information […]

Read more about Status on Social Media Moderation Statutes and Cases

Put Revision Legal on your side