Update on California’s Data Breach Notification Law featured image

Update on California’s Data Breach Notification Law

by John DiGiacomo

Partner

Internet Law

Most States and the federal government mandate that personal and confidential consumer data must be securely protected by the companies that collect or use such data. However, despite that requirement, there are thousands of data breaches that occur every year in nearly every industry. Thus, in addition to mandating cybersecurity, many States have enacted breach notification laws. In very broad terms, the breach notification statutes cover the following issues:

  • Who must be notified? — such as: law enforcement, regulators and consumers whose private information may have been accessed
  • What events will trigger a duty to notify? — an attempt to exfiltrate data will not generally trigger an obligation to notify
  • What is the timing of the notice?
  • Are automatic remedies required — such as purchasing monthly credit reports for affected consumers?

In this article, we will briefly summarize California’s data breach notification laws which were first enacted in 2002.

Security and/or Data Breach

Under current California laws and regulations, the definition of a security and/or data breach depends partly on whether the data is encrypted. If the data is encrypted, then notice obligations are only triggered if there is reason to believe that the data itself was compromised. This means that the encryption key must also have been stolen or that facts suggest that the encryption can be broken. If the data was unencrypted, then, generally, a breach notification must be sent.

When Must the Notice be Sent?

There is no exact deadline under California laws. The general rule is that breach notifications must be sent “in the most expedient time possible and without unreasonable delay.” Typically, this standard allows for internal investigations and for contact with and response from law enforcement. Breach notification timing may also be impacted by the need to restore the integrity of the data system.

To Whom Must Notifications be Sent? 

In general, notifications must be sent as follows:

  • To consumers whose data was accessed/stolen
  • The California Attorney General (if data was compromised for more than 500 California residents)
  • The owners of the data if the target of the hack/unauthorized access was not the owner or licensee of the data

Note that there is no requirement that law enforcement officials be notified. However, data breaches are criminal in nature and law enforcement officials are usually contacted for purposes of reporting and investigating the criminal behavior.

What Must the Breach Notification Say?

California’s data breach notification law is aimed at protecting consumers. Thus, California statutes require that a breach notification be written in easily understood words and must be titled “Notice of Data Breach.” In addition, a lot of specific information must be provided which can be summarized as follows:

  • Company and contact information suffering the data breach
  • A full list of the data compromised or thought to be compromised
  • Date or dates of the data breaches
  • Description of what happened — how the data breach occurred
  • Whether law enforcement officials were contacted and whether that investigation delayed notification
  • Information about checking major credit reporting agencies
  • An offer to provide identity theft prevention services

Contact Revision Legal For more information or if you have legal questions about data security, how to respond to data breaches or about hacking and cybercrime, contact the data breach and data security lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474. We are lawyers specializing in internet law.

Extra, Extra!
Recent Posts

Trademarks: What is the Difference Between the Circle R and TM Symbols?

Trademarks: What is the Difference Between the Circle R and TM Symbols?

Trademark

The Circle R and the TM symbols both relate to trademarks and both can be physically placed on products, packaging, advertising materials, websites, etc. The Circle R symbol is an “R” enclosed in a circle (®). While both are trademark-related symbols, there are different eligibility requirements for use, meanings, and implications. Here is a quick […]

Read more about Trademarks: What is the Difference Between the Circle R and TM Symbols?

Is Your E-Commerce Advertising in Compliance With Existing Laws?

Is Your E-Commerce Advertising in Compliance With Existing Laws?

Internet Law

E-commerce businesses must comply with federal and State-level advertising laws and regulations. This is true of any business. But e-commerce businesses face special challenges because there is a whole array of potential methods of innocently, accidentally, or intentionally violating advertising laws. These include the potential to engage in false and deceptive advertising practices, such as […]

Read more about Is Your E-Commerce Advertising in Compliance With Existing Laws?

Put Revision Legal on your side