The Onus to Give Notice: California’s Data Breach Notification Law
Once a business suffers a data breach, one of the first questions that may arise is whether they must give notice to the affected customers. California’s data breach notification statute, Section 1798.82 of the California Civil Code[i], requires a person or entity that conducts business in California that owns, licenses or maintains “personal information” and suffers a breach of that information to notify the owner of the information, any third parties for whom they maintained that information, and in some cases the California Attorney General. This guide provides an explanation for informational compliance you need to know to protect yourself and your business under California law.[ii]
WHAT IS A BREACH?
A breach is defined as “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.”[iii] Notably, notice restrictions apply only to electronically stored information that is unencrypted.[iv] Moreover, California provides a safe harbor for situations where information is obtained in good faith by employees or agents of a business, provided that the personal information is not used or subject to further unauthorized disclosure.[v]
WHAT IS PERSONAL INFORMATION?
The notification statute defines “personal information”[vi] to include “any information that identifies, relates to, describes, or is capable of being associated with, a particular individual,” including but not limited to his or her first name or first initial and last name in combination with one or more of the following:
Social Security Number
Driver’s license or state identification card number
Employment or employment history
Health insurance information
Insurance policy number
Bank account number
Credit card number
Debit card number
Password for account access
Security question and answer for account access
However, “personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.[vii]
WHO MUST BE NOTIFIED?
The person or business must notify any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.[viii] In addition, if the information was maintained on behalf of another entity, that entity must be notified immediately following the discovery of the breach.[ix]
If more than 500 California residents will be notified as a result of a single breach, you or your business must also electronically submit a sample notification to the California Attorney General.[x] The Attorney General has an on-line form to submit data security breach notification samples. https://oag.ca.gov/ecrime/databreach/report-a-breach.
HOW QUICKLY IS NOTICE REQUIRED?
Notice is required in the most expedient time possible.[xi] However, reasonable delays to determine the scope of the breach and to restore the integrity of a breached system are permitted.[xii] Additionally, if a law enforcement agency determines that notification may impede a criminal investigation, notice may be postponed until it will no longer impede the investigation.[xiii]
WHAT IS REQUIRED IN THE NOTICE?
The notice must be written in plain language, and include:[xiv]
WHAT METHOD OF DELIVERY IS REQUIRED?
Notice may be either written or provided electronically in compliance with federal electronic notification requirements such as prior confirmation that a consumer consents to electronic notification and provisions to inform a consumer of methods to obtain a paper copies of notification or to withdraw consent for electronic notification.[xv]
If the breach involves a user name or email address and the corresponding password or access code, notice may not be provided electronically to the breached email address. Notice must instead be provided by written or substitute notice (as described below) or by clear and conspicuous notice delivered when the California resident is connected to the online account from a known IP address customarily used to access the account.[xvi]
WHAT IF THE COMPANY IS UNABLE TO PROVIDE THE REQUIRED NOTICE?
If the cost of the notice would exceed $250,000, or the number of affected California residents would exceed 500,000, or the company does not have sufficient contact information of the consumers, it may provide “substitute notice.”[xvii] This may take the form of an email notice if the company has an email address for the affected persons, a conspicuous notice posted on the company’s website (if the company maintains a website), or a notification of major statewide media.[xviii]
WHAT ELSE IS REQUIRED AFTER A BREACH?
In some breach situations the company responsible for the breach must also offer to provide identity theft prevention and mitigation services for at least 12 months, along with any information necessary to take advantage of the offer. These situations include breaches where personal information including the first name or first initial and last name in combination with a social security number, driver’s license number, or California identification card number.
WHAT REMEDIES DOES A CUSTOMER HAVE IF YOU FAIL TO COMPLY?
Any customer injured by a violation of these requirements has a right of action against the breaching company to recover damages.[xix] Additionally, any company that violates or proposes to violate these requirements may be enjoined.[xx]
* * * * *
The addition of a conditional requirement to provide an offer for identity theft protection and the civil penalties for non-compliance implements an ongoing duty for companies after a breach. It should be noted that companies are required to offer protection, and only provide that protection to California residents that accept the offer. Depending on the number of impacted persons, this identity theft protection can be a heavy cost for companies. It may be that only a small portion of the affected group takes advantage of the offer, it may be that a large majority or all do. However, if a company does not offer such protection, it may be liable for identity theft of any California resident impacted in the ensuing 12 months.[xxi]
Data breach is a daunting prospect for companies, notification shouldn’t be as daunting. Some of these difficulties can be mitigated by proper data security, strong company defenses and the costs following a breach can be alleviated by proper insurance coverage to cover post-breach costs. Stay tuned to this “Cyber Insurance” series for information on how traditional insurance or specialized cyber insurance can help you and your business.
Timothy R. Sullivan and Graham Van Leuven are attorneys in the Fresno office of McCormick Barstow LLP. They are members of the firm’s Insurance Coverage and Bad Faith Litigation Practice Group which provides a wide range of litigation and non-litigation services to numerous insurers, risk financing entities, and other interested clients on local, state, national, and international levels.
[i] California Civil Code § 1798.82(a) and (b) state: (a) A person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. [¶] (b) A person or business that maintains computerized data that includes personal information that the person or business does not own shall notify the owner or licensee of the information of the breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
[ii] While California was the first state to adopt a data security breach notification law, forty-six other states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have also enacted legislation requiring private or government entities to notify individuals of security breaches of information involving personally identifiable information. The three states without notification laws are Alabama, New Mexico, and South Dakota. For information regarding the laws of other jurisdictions, see National Conference of State Legislatures, State Security Breach Notification Laws (12/16/13), http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx. In addition, a multitude of federal laws and regulations govern the security of all types of sensitive information.
[iii] Civil Code §1798.82(g).
[iv] Civil Code §1798.82(a).
[v] Civil Code §1798.82(g).
[vi] Civil Code § 1798.82(h).
[vii] Civil Code §1798.82(i)(1).
[viii] Civil Code §1798.82(a).
[ix] Civil Code §1798.82(b).
[x] Civil Code §1798.82(f).
[xi] Civil Code §1798.82(a).
[xiii] Civil Code §1798.82(c).
[xiv] Civil Code §1798.82(d).
[xv] Civil Code §1798.82(j)(1) and (2). See also 15 U.S.C. 7001.
[xvi] Civil Code §1798.82(d)(5).
[xvii] Civil Code §1798.82(j)(3).
[xix] Civil Code §1798.84(b).
[xx] Civil Code §1798.84(e).
[xxi] Civil Code § 1798.82(g) and 1798.84(b).