[BreachExchange] Understanding California’s Data Breach Notification Law: Protecting your Company & Customers

Audrey McNeil audrey at riskbasedsecurity.com
Fri Aug 11 14:20:46 EDT 2017


https://www.lexology.com/library/detail.aspx?g=a18fee34-e1cb-4993-9e6c-
d98fcd86f6e9

The California Attorney General’s 2016 Data Breach Report found 3 out of 5
Californians were victims of data breaches and that data breach victims
were significantly more likely to experience identity theft. Notifying
consumers of a data breach promptly after it happens allows and encourages
them to take proactive measures (such as cancelling susceptible credit
cards, purchasing identity theft prevention services, and so forth) to
prevent identity theft. When consumers affirmatively act to prevent
identity theft, they also minimize the amount of damages they might
otherwise have that your company may ultimately be liable for.

California has been a trailblazer in the field of data breach transparency.
In 2002, California became the first state to enact its Data Breach
Notification Law. This law has become a model that has been followed by
many states across the United States. The law has been tweaked over the
years, with new amendments having gone into effect as recently as January
2017.

Here’s an overview of some key provisions of the law to help your company
comply with the law and reduce its exposure when confidential data is
breached:

When is Notice Required

Under the California Data Breach Notification Law (Civil Code section
1798.82) you are required to provide notice of a data breach if:

1. You are doing business in California;

2. You own or license computerized data;

3. The data includes personal information of clients residing in California;

4. There was an unauthorized acquisition of electronic personal data of
California residents; and

5. The personal data is not encrypted, or it is encrypted but there is
reason to believe the encryption key was also compromised.

If more than 500 California residents are impacted by the breach, the
California Attorney General’s Office must be notified electronically by
submitting to it a single sample copy of the notice, excluding any
personally identifiable information.

What is “Personal Information”

The law defines personal information as an individual’s first name or first
initial and last name in combination with any one or more of the following:

1. Social security number;

2. Driver’s license/ID card number;

3. Account or card numbers if combined with a security/access code;

4. Medical information; 5. Health insurance information; or

6. Data collected from an automated license plate recognition system.

Personal information is also defined as a user name or email address, in
combination with a password or security question and answer that would
permit assess to an online account.

Timing for Notice

The California Data Breach Notification Law does not provide a certain
number of days, weeks, or months within which you must provide notice.
Rather, companies are to provide notice “in the most expedient time
possible and without unreasonable delay” and “immediately following
discovery.” To add to the uncertainty, notice can be delayed to avoid
interference with law enforcement investigations or if necessary to
determine the scope of the breach and to restore the integrity of the data
system.

What to Include in Notice

The law has been amended to make it easier for consumers to understand the
notice. The notice must be titled “Notice of Data Breach” and include
specific details about the breach under the following headings:

1. “What Happened”

2. “What Information Was Involved”

3. “What We Are Doing”

4. “For More Information”

Under certain circumstances, if the breach exposed social security numbers,
driver’s license numbers, or California identification card numbers, then
an offer to provide appropriate identity theft prevention and mitigation
services must be included in the notice. These services must be provided at
no cost to the affected person for not less than 12 months and the notice
must contain information necessary to take advantage of the offer.

Despite California’s efforts to “simplify” breach notification,
California’s Data Breach Notification Law is technical and fraught with
liability if you do not respond properly. Understanding the law can help
protect your customers and your company. We recommend that companies have a
data breach response plan in place before a breach occurs that includes the
steps needed to comply with the notice requirements.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170811/b6ae4518/attachment.html>


More information about the BreachExchange mailing list