skip to main content
Experience List
DWT
  • Email Page
  • Create PDF
  • Print Page

 

Cal. Civ. Code § 1798.82

To print or save this summary, click here.

 

Quick Facts

Breach Based on
Harm Threshold

Deadline for
Consumer Notice

Government
Notification Required

NO

Most expedient time possible and without
unreasonable delay

YES, if >500 residents notified

 

More Details

 
Scope of this Summary Notification requirements applicable to persons or businesses that conduct business in the state and that own, license or maintain covered info. Some types of businesses may be exempt from some or all of these requirements and non-commercial entities may be subject to different requirements.
Covered Info First name or first initial and last name, plus: Social Security number; driver's license or state identification card number; financial account , credit or debit card number, in combination with any required security or access code or password permitting access to a resident's financial account; medical or health insurance info; or info collected by automated license plate recognition systems.

Covered info also includes a user name or email address, in combination with a password or security question and answer that would permit access to an online account.
Form of Covered Info Electronic Only
Encryption Safe Harbor Statute does not apply to information that is encrypted, so long as the encryption key was not or is not reasonably believed to have been acquired.
Breach Defined Unauthorized acquisition that compromises the security, confidentiality, or integrity of the covered info, excluding certain good-faith acquisitions by employees or agents.
Consumer Notice Timing: Must be made in the most expedient time possible and without unreasonable delay consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system.

Content: Notice must be in "plain language," use at least 10-point font, and organized by clearly and conspicuously displayed title and headings. Notice must include: name and contact info of covered entity; types of covered info that were the subject of the breach; the date, estimated date, or date range of the breach; date of the notice; whether notice was delayed due to law enforcement; general description of the breach; and toll-free numbers and addresses of the major CRAs if SSNs, drivers' license or state identification card numbers were exposed.

If Social Security, driver’s license or state identification card numbers are affected, and if the entity providing notice was the source of the breach, must offer appropriate identity theft prevention and mitigation services, if any, at no cost to resident for not less than 12 months.

Method: By written notice, or electronic notice if it is consistent with E-SIGN. Substitute notice is available if certain criteria are satisfied. Alternative methods apply to breaches solely involving user names or email addresses.
Delayed Notice Notification may be delayed if law enforcement determines that notice will impede a criminal investigation.
Government Notice If more than 500 state residents are notified as result of a single breach, must also electronically submit a sample copy of the notification to the California Attorney General.
Third-Party Notice If you maintain covered info on behalf of another entity, you must notify them immediately following discovery of a breach.
Potential Penalties Violations may result in civil penalties.

 

Cal. Health & Safety Code § 1280.15

To print or save this summary, click here.

 

Quick Facts

Breach Based on
Harm Threshold

Deadline for
Consumer Notice

Government
Notification Required

NO

15 business days

15 business days

 

More Details

Scope of this Summary Notification requirements applicable to a clinic, health facility, home health agency, or hospice licensed pursuant to Cal. Health & Safety Code section 1204, 1250, 1725, or 1745.
Covered Info Medical Information, defined to mean individually identifiable information regarding a patient's medical history, mental or physical condition, or treatment. Information is identifiable if it includes or contains any element of identifying information, such as name, address, e-mail address, telephone number, Social Security number, or other information that alone or in combination with other public information reveals the individual's identity.
Form of Covered Info Electronic or Paper
Breach Defined Unlawful or unauthorized access to, or use or disclosure of, a patient's medical information, excluding certain inadvertently misdirected paper records, e-mail, or facsimile within the same facility or health care system within the course of coordinating care or delivering services.
Consumer Notice Timing: Must be made to the affected patient or patient's representative no later than 15 business days after the unlawful or unauthorized access, use, or disclosure is detected.

Method: By written notice to the last known address. Notice can be provided by an alternative means or at an alternative location as specified by the patient or patient's personal representative in writing pursuant to 45 CFR ß 164.522(b). Notice by e-mail is permitted if the patient previously agreed in writing to receive electronic notice by e-mail.
Delayed Notice Notification may be delayed if law enforcement provides a written or oral statement that notice will impede a related investigation, or a written declaration that notice will undermine a bona fide, ongoing, significant criminal investigation of serious wrongdoing related to the unlawful or unauthorized access, use, or disclosure. Additional timing and documentation requirements may apply.
Government Notice Notification must be made to the California Department of Public Health no later than 15 business days after detecting the unlawful or unauthorized access, use, or disclosure of covered info.
Potential Penalties Violations may result in civil penalties.

 

To print or save this summary, click here.

This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.

Last revised on May 30, 2018