24/7 Rapid Response - On Call Transportation Attorneys | 24/7 Data Breach Response - breachresponse@lewisbrisbois.com

California Information Security Standards Summary

Cal. Civ. Code §§ 1798.80, 1798.81, 1798.81.5, 1798.84

 

Subject Entities

Businesses that own, license, or maintain personal information about a California resident. “Own” and “license” includes information retained as part of a customer account or for transactions with a person to whom the information relates. “Maintain” includes personal information that a business does not own or license.

Does not apply to providers of health care, health care service plans, or contractors regulated by the Confidentiality of Medical Information Act, HIPAA covered entities, Financial Institutions regulated by the California Financial Information Privacy Act, or a business regulated by state or federal law providing greater protection to personal information.

Security Standard

Must implement and maintain reasonable security procedures and practices to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

A business that discloses personal information not owned, licensed, or maintained by the business about a California resident pursuant to a contract with a nonaffiliated third party shall require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. 

Disposal/Destruction Standard

Must take all reasonable steps to dispose or arrange for the disposal of customer records containing personal information.

Types of Data Covered

Electronic and Physical.

Definitions

Personal information” means:

  1. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
    • Social Security number.
    • Driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual. 
    • Account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
    • Medical information.
    • Health insurance information.
    • Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes.
    • Genetic data.
  2.  A username or email address in combination with a password or security question and answer that would permit access to an online account.

Medical information” means any individually identifiable information, in electronic or physical form, regarding the individual’s medical history or medical treatment or diagnosis by a health care professional.

Health insurance information” means an individual’s insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records.

Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Methods of Compliance

Statute does not define “reasonable security procedures and practices,” but states that such procedures and practices must be appropriate to the nature of the information at issue. Compliance with Massachusetts information security standard recommended.

If disclosing personal information pursuant to a contract with a nonaffiliated third party, must contractually require the third party to likewise implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

Records containing personal information may be destroyed by shredding, erasing, or otherwise modifying to make the personal information unreadable or undecipherable.

Enforcement

Individuals have a private right of action and may bring a civil action for violations. May be subject to additional rights and remedies available under law.

Violations may be subject to injunctive relief.

Penalties

A resident injured by a violation may recover damages.

 

Last updated: January 2024