California Cyber Breach Disclosure Law Guide
What's this page all about?
This page is a in-depth view of California's Cyber Notification and Disclosure Laws which were enacted to ensure businesses properly safeguard personal information.
What's the link to the law?
What’s a breach?
Breach of the security of the system means unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information maintained by the agency.
Good faith acquisition of personal information by an employee or agent of the agency for the purposes of the agency is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure.
What’s considered personal information?
Personal information means an individual’s first name or first initial and last name in combination with one or more of the following data elements when either the name or the data elements are not encrypted:
- Social security number;
- Driver’s license number, California identification card number, tax identification number, passport number, military identification number or other unique identification number issued on a government document commonly used to verify the identity of a specific individual;
- Account number or credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account;
- Medical information;
- Health insurance information;
- Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph unless used or stored for facial recognition purposes; or
- Information or data collected through the use or operation of an automated license plate recognition system.
Personal information does not include publicly available information that is lawfully made available to the general public from federal, state or local government records.
Individual notification requirements
Any agency that owns or licenses computerized data that includes personal information must disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose:
- Unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person or
- Encrypted personal information was or is reasonably believed to have been acquired by an unauthorized person, and the encryption key or security credential was or is reasonably believed to have been acquired by an unauthorized person, and the agency that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or usable.
The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
Regulator notification requirements
Any agency that is required to issue a security breach notification to more than 500 California residents as a result of a single breach of the security system must electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the attorney general. A single sample copy of a security breach notification must not be deemed to be within the Inspection of Public Records of the Government Code.
Any person other than an employee of the state or of a local government agency acting solely in his or her official capacity who intentionally discloses information not otherwise public, which they know or should reasonably know was obtained from personal information maintained by a state agency or from “records” within a “system of records,” is subject to a civil action, for invasion of privacy, by the individual to whom the information pertains.
In any successful action brought, the complainant, in addition to any special or general damages awarded, must be awarded a minimum of $2,500 in exemplary damages as well as attorney’s fees and other litigation costs reasonably incurred in the suit.
The right, remedy and cause of action must be nonexclusive and is in addition to all other rights, remedies and causes of action for invasion of privacy inherent in Section 1 of Article I of the California Constitution.
Cal. Civ. Code § 1798.29; 1798.82 et seq.