Scope of This Summary:
Notification requirements applicable to persons or businesses that conduct business in the state and that own, license, or maintain covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject to different requirements.
Risk of Harm Threshold
Unauthorized acquisition that compromises the security, confidentiality, or integrity of the covered info, excluding certain good-faith acquisitions by employees or agents.
Encryption Safe Harbor
Statute does not apply to information that is encrypted, so long as the encryption key was not or is not reasonably believed to have been acquired.
Form of Covered Info
- An individual's first name or first initial and last name in combination with any one or more of the following data elements:
- Social Security number.
- Driver's license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.
- Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
- Medical information, meaning any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional.
- Health insurance information, meaning an individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual's application and claims history, including any appeals records.
- Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Does not include a physical or digital photograph, unless used or stored for facial recognition purposes.
- Information or data collected through the use or operation of an automated license plate recognition system, as defined in Section 1798.90.5.
- Genetic data, meaning any data, regardless of its format, that results from the analysis of a biological sample of an individual, or from another source enabling equivalent information to be obtained, and concerns genetic material. Genetic material includes, but is not limited to, deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs), uninterpreted data that results from analysis of the biological sample or other source, and any information extrapolated, derived, or inferred therefrom.
- Additionally: A username or email address, in combination with a password or security question and answer that would permit access to an online account.
Consumer Notice Timing
Must be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system.
Consumer Notice Method
By written notice, or electronic notice if it is consistent with E-SIGN. Substitute notice is available if certain criteria are satisfied. Alternative methods apply to breaches solely involving usernames or email addresses.
Consumer Notice Content
Notice must be in "plain language," use at least 10-point font, and organized by clearly and conspicuously displayed title ("Notice of Data Breach") and headings ("What Happened", "What Information Was Involved", "What We Are Doing", "What You Can Do", and "For More Information"). Notice must include: name and contact information of covered entity; types of covered info that were or reasonably believed to have been the subject of the breach; the date, estimated date, or date range of the breach; date of the notice; whether notice was delayed due to law enforcement; general description of the breach; and toll-free numbers and addresses of the major Consumer Reporting Agencies if Social Security, driver's license, or state identification card numbers were exposed.
If Social Security, driver's license, or state identification card numbers are affected, and if the entity providing notice was the source of the breach, must offer appropriate identity theft prevention and mitigation services, if any, at no cost to resident for not less than 12 months.
Notification may be delayed if law enforcement determines that notice will impede a criminal investigation.
If more than 500 state residents are notified as result of a single breach, must also electronically submit a sample copy of the notification to the California Attorney General (excluding personal information).
Consumer Reporting Agency Notice
Exceptions for Other Laws
The statute deems entities covered by the Health Insurance Portability and Accountability Act (HIPAA) in compliance with the content requirements for individual notices if it has complied with the notice content requirements in the Health Information Technology for Economic and Clinical Health (HITECH) Act (42 U.S.C. 17932).
If you maintain covered info on behalf of another entity, you must notify it immediately following discovery of a breach.
Private Right of Action
In California, any customer injured by a violation of the general breach notification statute may bring a civil action to recover damages, and any business that violates or proposes to violate the statute may be enjoined.
Violations may result in civil penalties.