CPRA and the California Data Breach Notification Law

This article is for information purposes only. Please contact a privacy attorney for specific guidance.

According to the California Consumer Privacy Act's (CPRA) Data Breach Notification Law, organizations in California are required to notify their consumers in the event of a data breach.

California law requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person. (California Civil Code s. 1798.29(a) [agency] and California Civ. Code s. 1798.82(a) [person or business].)

Any person or business that is required to issue a security breach notification to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. (California Civil Code s. 1798.29(e) [agency] and California Civ. Code s. 1798.82(f) [person or business].)

Definitions

A "breach" is defined as the "Unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information, excluding certain good faith acquisitions."

A "business" includes any group that holds an authorization certificate, license, or is chartered under the laws of any U.S. state, the federal government, or foreign nation, and:

sole proprietorships

corporations

partnerships

associations

financial institutions, or

any entity which disposes of records

Exemptions

Agencies that acquire their data under agreements approved by the vehicle code and are subject to the code's confidentiality requirements.

Organizations that fall under HIPAA's security and privacy rules.

Financial Institutions that fall under the California Financial Information Privacy Act.

Healthcare providers regulated by the Confidentiality of Medical Information Act.

Businesses regulated by state or federal legislation that provides greater protections to a consumer's personally identifiable information than the breach law.

When to Report

The law states a breach must be reported to law enforcement and consumers affected as soon as possible and may only be delayed if a written or oral statement from law enforcement is provided stating notification would impede an investigation. In addition, if a single breach affects more than 500 consumers, the California Attorney General must also be notified.

Notification Requirements

A breach notification includes several sections, including what happened, what information was compromised, what actions are being taken, and what consumers can do to protect their data. The description of the breach itself must be written in plain language and contain a minimum of the following:

the name and contact information of the reporting agency

the types of information believed to be subject of the breach

the date of the notice

a general description of the incident

if the information is available at the time of reporting:

the date of the breach

the estimated date of the breach, or

the date range within which the breach occurred

if the breach included exposed social security numbers, driver's license numbers, or California identification card numbers, the toll-free numbers and addresses of major credit reporting agencies

The organization itself can decide if it wishes to publish additional information regarding what steps it has taken to protect the affected consumers and any advice it has for individuals to take.

References:

https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.82

CPRA and the California Data Breach Notification Law

Definitions

Exemptions

When to Report

Notification Requirements

Search News

Categories

About The Author

Newsletter