Click here to review text of state statute (see Cal. Civ Code 1798.82)
(California has specific statutes which could apply if medical information is compromised)
Information Covered / Important Definitions
Personal information of California residents.
Definition includes medical information, health insurance information, and information or data collected through the use or operation of an automated license plate recognition system.
Definition also captures a user name or email address in combination with a password or security question and answer that would permit access to an online account.
“Security Breach” means an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a covered entity.
Note (eff. 1/1/2017): A covered entity shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California (1) whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or, (2) whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the person or business that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or useable
“Medical Information” means any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
“Health Insurance Information” means an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records.
“Encrypted” means rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.
Covered Entities* / Third Party Recipients
Subject to statute:
Any person or business that conducts business in California and owns or licenses computerized data that includes personal information.
Third party recipients:
A person or business maintaining computerized data that includes personal information that the person or business does not own must notify the owner or licensee of the information of any security breach immediately following discovery.
Notice Procedures & Timing / Other Obligations
Written or electronic notice must be provided to victims of a security breach within the most expedient time possible and without unreasonable delay, unless a law enforcement agency determines notification will impede a criminal investigation (in which case notification is delayed until authorized by law enforcement).
- Security breach notification must be written in plain English and be titled “Notice of Data Breach.” It must include certain information, use specific headings, and conform to prescribed formatting. Refer to the statute for instructions and a model security breach notification form.
- If the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, must be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer, to any person whose information was or may have been breached if the breach exposed or may have exposed personal information involving a social security number, driver’s license, or California identification card numbers.
- Substitute notice is available by means prescribed in the statute if costs to exceed $250,000, affected class exceeds 500,000 persons, or covered entity has insufficient contact information.
- If the personal information compromised in the data breach only includes a user name or email address in combination with a password or security question and answer (and no other personal information), then notice may be provided in electronic or other form that directs the person whose personal information has been breached to promptly change his or her password and security question and answer (or take other steps to protect online account).
- If the personal information compromised in the data breach only includes log in credentials for an email account furnished by the entity that has experienced the breach, then notice may be delivered to the individual online when that individual is connected to the online account from an IP address or online location from which the entity knows the resident customarily accesses the account.
Other obligations (See Cal. Civ Code 1798.81):
Businesses must implement and maintain reasonable security procedures and practices to protect personal information.
Businesses responsible for data are required to take all reasonable steps to destroy a customer's records that contain personal information when the entity will no longer retain those records.
A business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party must require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, and to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
A breach of encrypted data triggers a notification requirement if the encryption key or security credential is also acquired by an unauthorized person, and the owner or licensor of the affected data reasonably believes that the encryption key or security credential could be used to render the encrypted personal information readable or usable.
Exemption for good faith acquisition by an employee or agent of a covered entity so long as personal information not used or subject to further willful unauthorized disclosure.
A covered entity is deemed in compliance with the California statute if it maintains and complies with its own notification procedures as part of an information security policy that are consistent with the timing requirements of the California statute.
Covered entities subject to HIPAA may satisfy requirements of California statute by complying with Section 13402(f) of the federal Health Information Technology for Economic and Clinical Health Act (“HITECH”).
Notification to Regulator / Waiver
Attorney general must be notified if a single breach results in notification to more than 500 California residents.
Notification must be submitted online and include a sample of security breach notification to residents. Click here for required online reporting form.
A waiver of the statute is void and unenforceable.
Civil remedies available to customers injured by a violation of the statute.
Private Cause of Action / Enforcement
Private Cause of Action: Yes.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
Click here to review text of state statute [California has specific statutes which could apply if medical information is compromised.]