California Data Breach Notification Statute Summary

Cal. Civ. Code §§ 1798.81.5, 1798.82

 

Type of Data Covered Deadline for Notification Government Notice
Electronic. Most expedient time possible without unreasonable delay.

Yes - Notify Attorney General if more than 500 California residents notified.

 

 

Subject Entities

Applies to individuals, businesses, and other entities that conduct business in California and own or license personal information. Certain entities such as covered entities subject to HIPAA may be exempted from particular or all provisions of the law.

Definition of Personal Information

  1. First name or first initial and last name, in combination with one or more of the following unencrypted data sets:
  • Social Security number;
  • Driver’s license or California identification card number;
  • Tax identification number;
  • Passport number;
  • Military identification number;
  • Other unique identification number issued on a government document commonly used to verify the identity of a specific individual;
  • Financial account or payment card number, in combination with any required code or password permitting access to a resident’s financial account;
  • Medical information;
  • Health insurance information;
  • Information collected by automated license plate recognition systems;
  • Unique biometric data, such as a fingerprint, retina, or iris image, used to authenticate a specific individual—not including physical or digital photograph unless used or stored for facial recognition purposes; or
  • Genetic data (effective 01/01/2022). 
  1. User name or email address, in combination with a password or security question and answer that would permit access to an online account.

Definition of Breach

Unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information, excluding certain good faith acquisitions.

Type of Data Covered

Electronic.

Encryption Safe Harbor

Yes, if the encryption key or security credential is not reasonably believed to have been acquired by an unauthorized person such that it could be used to render the personal information readable or usable.

Risk of Harm Analysis

Notification is not dependent on risk of harm to the consumer.

Consumer Notice Requirements

Timing: Most expedient time possible and without unreasonable delay in accordance with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the system.

Content: The security breach notification must be written in plain language, use at least 10-point font, and be titled “Notice of Data Breach.” Must present the information under the following headings: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.”

Notice must include, at a minimum:

  • Name and contact information of the subject entity;
  • The types of personal information affected;
  • If available at the time of notice: (i) the date of the breach, (ii) the estimated date of the breach, or (iii) the date range within which the breach occurred.
  • Date of the notice;
  • Whether notification was delayed as a result of a law enforcement investigation;
  • A general description of the breach incident, if available at the time of notice;
  • If Social Security numbers, or driver’s license, or California identification card numbers were exposed, The toll-free telephone numbers and addresses of the major consumer reporting agencies must be provided;
  • If identity theft prevention and mitigation services are offered, they must be provided at no cost for not less than 12 months, and notice must contain all information necessary to take advantage of the offer.

Format: Must be designed to call attention to the nature and significance of the information; the title and headings must be clearly and conspicuously displayed; and use at least 10-point font.

Method: Written notice, or electronic notice if consistent with the provisions regarding electronic records and signatures set forth in E-SIGN. If the breach affects only a user name or email address, in combination with a password or security question and answer that would permit access to an online account and no other personal information, the subject entity can provide notice in electronic or other form directing the resident to change his or password or security question or answer, or take other steps to protect the account and other applicable accounts. Such notice of compromised email credentials cannot be made to the affected email address.

Substitute notice is available under certain conditions.

Substitute Notice Requirements

Substitute notice may be provided if the cost of notice would exceed $250,000, the affected class to be notified exceeds 500,000, or the subject entity does not have sufficient contact information. Substitute notice shall consist of all of the following:

  • Email notice when the subject entity has an email address for the subject persons;
  • Conspicuous posting, for a minimum of 30 days, on the entity’s website , if it maintains one;
  • Notification to major statewide media.

Delayed Notice Requirements

Notification may be delayed if a law enforcement agency provides a written or oral statement that notification would likely impede a related investigation.

Government Notice Requirements

If more than 500 California residents are notified as a result of a single breach, must electronically submit a sample copy of the consumer notification letter to the Attorney General.

Third Party Notice Requirements

If covered information is maintained on behalf of another entity, must notify the entity immediately following discovery of a breach.

Potential Penalties

Violations may result in civil penalties or other private remedies.

Notification Requirements for Government Agencies

Please see Cal. Civ. Code § 1798.29 for specific requirements and/or penalties for applicable government agencies.

Related Regulations California Information Security Standards (Cal. Civ. Code §§ 1798.80, 1798.81, 1798.81.5, 1798.84); California Consumer Privacy Act (CCPA) (Cal. Civ. Code §§ 1798.100–1798.194)
 
 
 

Cal. Health & Safety Code § 1280.15

 

Type of Data Covered Deadline for Notification Government Notice
Electronic or Paper No later than 15 business after detecting breach.

Yes - California Department of Public Health

 

Subject Entities

Applies to clinics, health facilities, home health agencies, and hospices licensed by the California Department of Public Health (“CDPH”).per Cal. Health & Safety Code §§ 1204, 1250, 1725 or 1745.

Definition of Personal Information

Statute covers “medical information,” defined as: Individually identifiable information in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment.

“Individually identifiable” means that the medical information includes or contains any element of personal identifying information sufficient to allow identification, such as the patient’s name, address, email address, telephone number, Social Security number, or other information that, alone or in combination with other publicly available information, reveals the individual’s identity.

Definition of Breach

Unlawful or unauthorized access to, and use or disclosure of, patients’ medical information, excluding certain good faith acquisitions.

Type of Data Covered

Electronic or paper.

Risk of Harm Analysis

Notification is not dependent on risk of harm to the patient.

Consumer Notice Requirements

Timing: Notification to the affected patient or the patient’s representative must be made no later than 15 business days after the clinic, health facility, home health agency, or hospice detects the unlawful or unauthorized access, use, or disclosure.

Method: In writing to the patient’s or patient representative’s last known address, or by an alternative means or location specified by the patient or patient representative pursuant to 45 C.F.R. § 164.522(b). Notice may be provided by email only if the patient has previously agreed in writing to receive electronic notice by email.

Delayed Notice Requirements

Notification may be delayed if a law enforcement agency provides a written or oral statement that notification would likely impede a related investigation. Delay may be up to 60 days if requested in writing, or 30 days if requested orally. A law enforcement agency may request an extension based upon a written declaration that there exists a bona fide, ongoing, significant criminal investigation of serious wrongdoing.

Documentation requirements may apply given the nature of the delay request.

Government Notice Requirements

Must notify the California Department of Public Health no later than 15 business days after detection of the unlawful or unauthorized access, use, or disclosure.

Potential Penalties

The California Department of Public Health, after investigation, may assess an administrative penalty up to $25,000 per patient whose medical information was unlawfully or without authorization accessed, used, or disclosed, and up to $17,500 for further incidences.

If a clinic, health facility, home health agency, or hospice does not notify the Department of Public Health or the affected patient within 15 business days of detection, it may also face a penalty up to $100 for each day that the Department of Health or the affected patient is not notified, not to exceed $250,000. For enforcement purposes, it is presumed that the facility did not notify the affected patient if not documented. May be rebutted if it demonstrates that notification was made.

 

Last updated: January 1, 2022