toggle accessibility mode
image of California

Update on California’s Data Breach Notification Law

By John DiGiacomo

Most States and the federal government mandate that personal and confidential consumer data must be securely protected by the companies that collect or use such data. However, despite that requirement, there are thousands of data breaches that occur every year in nearly every industry. Thus, in addition to mandating cybersecurity, many States have enacted breach notification laws. In very broad terms, the breach notification statutes cover the following issues:

  • Who must be notified? — such as: law enforcement, regulators and consumers whose private information may have been accessed
  • What events will trigger a duty to notify? — an attempt to exfiltrate data will not generally trigger an obligation to notify
  • What is the timing of the notice?
  • Are automatic remedies required — such as purchasing monthly credit reports for affected consumers?

In this article, we will briefly summarize California’s data breach notification laws which were first enacted in 2002.

Security and/or Data Breach

Under current California laws and regulations, the definition of a security and/or data breach depends partly on whether the data is encrypted. If the data is encrypted, then notice obligations are only triggered if there is reason to believe that the data itself was compromised. This means that the encryption key must also have been stolen or that facts suggest that the encryption can be broken. If the data was unencrypted, then, generally, a breach notification must be sent.

When Must the Notice be Sent?

There is no exact deadline under California laws. The general rule is that breach notifications must be sent “in the most expedient time possible and without unreasonable delay.” Typically, this standard allows for internal investigations and for contact with and response from law enforcement. Breach notification timing may also be impacted by the need to restore the integrity of the data system.

To Whom Must Notifications be Sent? 

In general, notifications must be sent as follows:

  • To consumers whose data was accessed/stolen
  • The California Attorney General (if data was compromised for more than 500 California residents)
  • The owners of the data if the target of the hack/unauthorized access was not the owner or licensee of the data

Note that there is no requirement that law enforcement officials be notified. However, data breaches are criminal in nature and law enforcement officials are usually contacted for purposes of reporting and investigating the criminal behavior.

What Must the Breach Notification Say?

California’s data breach notification law is aimed at protecting consumers. Thus, California statutes require that a breach notification be written in easily understood words and must be titled “Notice of Data Breach.” In addition, a lot of specific information must be provided which can be summarized as follows:

  • Company and contact information suffering the data breach
  • A full list of the data compromised or thought to be compromised
  • Date or dates of the data breaches
  • Description of what happened — how the data breach occurred
  • Whether law enforcement officials were contacted and whether that investigation delayed notification
  • Information about checking major credit reporting agencies
  • An offer to provide identity theft prevention services

Contact Revision Legal For more information or if you have legal questions about data security, how to respond to data breaches or about hacking and cybercrime, contact the data breach and data security lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474. We are lawyers specializing in internet law.

Put Revision Legal on your side