Quick Facts
Breach Based on Harm Threshold: NO
Deadline for Consumer Notice: Most expedient time possible and without
unreasonable delay
Government Notification Required: YES, if >500 residents notified
More Details
Scope of this Summary
Covered Info
First name or first initial and last name, plus: Social Security number; driver's license or state identification card number; financial account , credit or debit card number, in combination with any required security or access code or password permitting access to a resident's financial account; medical or health insurance info; or info collected by automated license plate recognition systems.
Covered info also includes a username or email address, in combination with a password or security question and answer that would permit access to an online account.
Form of Covered Info
Encryption Safe Harbor
Breach Defined
Consumer Notice
Timing: Must be made in the most expedient time possible and without unreasonable delay consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system.
Content: Notice must be in "plain language," use at least 10-point font, and organized by clearly and conspicuously displayed title and headings. Notice must include: name and contact info of covered entity; types of covered info that were the subject of the breach; the date, estimated date, or date range of the breach; date of the notice; whether notice was delayed due to law enforcement; general description of the breach; and toll-free numbers and addresses of the major CRAs if SSNs, drivers' license or state identification card numbers were exposed.
If Social Security, driver’s license or state identification card numbers are affected, and if the entity providing notice was the source of the breach, must offer appropriate identity theft prevention and mitigation services, if any, at no cost to resident for not less than 12 months.
Method: By written notice, or electronic notice if it is consistent with E-SIGN. Substitute notice is available if certain criteria are satisfied. Alternative methods apply to breaches solely involving usernames or email addresses.
Delayed Notice
Government Notice
Third-Party Notice
Potential Penalties
California (Health Information)
Quick Facts
Breach Based on Harm Threshold: NO
Deadline for Consumer Notice: 15 business days
Government Notification Required: 15 business days
More Details
Scope of this Summary
Covered Info
Form of Covered Info
Breach Defined
Consumer Notice
Timing: Must be made to the affected patient or patient's representative no later than 15 business days after the unlawful or unauthorized access, use, or disclosure is detected.
Method: By written notice to the last known address. Notice can be provided by an alternative means or at an alternative location as specified by the patient or patient's personal representative in writing pursuant to 45 CFR ß 164.522(b). Notice by email is permitted if the patient previously agreed in writing to receive electronic notice by email.
Delayed Notice
Government Notice
Potential Penalties
This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.
Last revised on July 26, 2018