Last updated on 01 July 2022 by William Blesch (Legal and data protection research writer at TermsFeed)
It's likely that you already know what a data breach is and why it's bad. Stolen computerized data can compromise the integrity, confidentiality, and security of your entire organization.
Of course, the implications of a breach like that could be profound. That's why preventing them has become the focus of legislation across the United States over the past few years.
In fact, all 50 states, including U.S. territories and the District of Columbia, now have data breach notification laws. California's laws on the subject are considered to be the most strict.
In light of that fact, companies that do business in California would do well to consider the following information.
In almost every state throughout America, hackers and others of ill intent breached the security of an incredible number of organizations over the last five years. For example, in 2016, California based Yahoo experienced a massive data security breach wherein online thieves stole around 500 million users' private information.
The thieves were so good that Yahoo didn't even recognize the breach occurred two years before it was discovered. Thankfully, the vast majority of consumers who were impacted did not face insurmountable consequences.
Be that as it may, for Yahoo and other organizations affected over that time frame, the cost in lack of trust and other damages is estimated in the trillions of dollars.
That was back in 2016.
However, that's nothing when one looks at the total number of data breaches experienced by California based companies from 2005 to 2019.
As Security Magazine reported, citing a study by Omnisend, "Housing some of the largest companies in the world, California saw the most data breaches by state with a total of over 5,750,000,000 data breaches. This alone made up for 56% of America's total cases from 2005 to 2019."
It's no wonder then that the state's legislature decided to pass legislation to force companies to take responsibility for the safety of their customers' private information.
Today, California's data breach regulations and reporting requirements are based on the California Consumer Privacy Act (CCPA). Governor Jerry Brown enacted the legislation on June 28, 2018.
Even so, in 2020, California's Attorney General received over 97 individual reports of data breaches! For instance, one of those was one of the most significant data breaches of a health organization ever.
Health IT Security stated that:
Since then, Classaction.org announced that Ambry Genetics has become the subject of a proposed class-action lawsuit filed due to the aforementioned data breach.
The CCPA brought noteworthy changes to the state's then-existing data breach laws (precisely, Part 4 of Division 3 of the California Civil Code) and heralded higher standards, demanding strict adherence.
If your business owns, licenses, or maintains Californian consumers' private information, you have a responsibility to protect that data.
According to Californian state law, you must put reasonable security practices and procedures in place to ensure the protection of personal identifying information (PII) from being accessed, destroyed, used, modified, or disclosed by unauthorized individuals.
Suppose you retain an individual's "PII" in an internal account for a purpose, such as conducting transactions. In that case, retention of data falls under the definition of "owning" and "licensing" it according to the law.
If you disclose PII to a third party, you must have a contract with that party, which stipulates that they must also put the same sort of reasonable security procedures and practices in place that you have.
Your responsibility begins the moment you first acquire PII. That responsibility remains until that private data is disposed of properly. Reasonable steps for disposing of customer records include:
Businesses are allowed to take whatever actions they deem necessary to dispose of PII properly.
Personal identifying information (PII) under the law includes a person's first name or first initial and last name put together with one or more of the following:
The definition of PII was amended and now also includes the following:
It's important to note that PII doesn't include publicly available information made available through local, state, or federal government records.
Additionally, the definition of unique biometric data doesn't include digital or physical photographs unless stored or used for facial recognition purposes.
According to the CCPA, you must report a data breach if your company does business in California and you own, license, or maintain Californian consumers' private information.
With that said, the definition of a business under California's data breach law includes any group that:
Some businesses are exempt from California's data breach notification law. These include the following:
In California, any unauthorized procurement of computerized information, which compromises the integrity, confidentiality, or security of PII maintained by a business or individual, constitutes a data security breach.
To determine if a breach occurred under the law, you must know whether the data in question was unencrypted or encrypted.
If the information was unencrypted, then you must give notification if you believe that information was obtained by any unauthorized person.
If the information was encrypted, then you must give notification if:
You must report a data security breach to those whose information was compromised because of that breach. Additionally, businesses must notify the California's Attorney General's office if the data breach impacts more than 500 California residents.
When contacting the Attorney General, businesses provide a sample copy of the notification they send to affected individuals.
If a business is a third party that maintains PII but does not own or license it and there is a data breach, it must immediately inform the entity that owns or licenses that data.
A data breach notification must be written in plain and easy language to be considered valid. It must be titled "Notice of Data Breach." Additionally, the notification must include the following information (provided that information is available to the business at the time notification is sent):
Although not mandatory, it's recommended that you include the following information in any data breach notification your business sends:
In theory, you must report a data breach as soon as possible once you become aware that a breach occurred.
However, delays might occur if, for example, you must cooperate with a law enforcement investigation or if you need to restore the integrity of your data system, or if you must determine the overall scope of the breach.
Those delays need to be factored into the exact timing of your notification.
Reporting a data security breach can be done by sending it electronically, in print, or through a substitute notice.
Using electronic notices is fine as long as you meet all formatting, content, and timing requirements. Additionally, electronic notifications must follow federal rules concerning electronic signatures and records in commerce.
If you choose to use a substitute notice, it must include the following to be considered valid:
A business may also provide a substitute notice if it can demonstrate that it would cost more than $250,000 to give notice through print, or if there are more than 500,000 individuals affected by the data breach, or if the business doesn't have adequate contact information.
Businesses that don't comply with the requirements for reporting data breaches as outlined above may be forced by a civil court to pay damages and penalties to injured customers.
Depending on the extent of injury or harm caused to the affected individuals, a court may impose a penalty of $500 per violation. On the other hand, if it can be shown that a business's actions were reckless or intentional, then the penalty could go up to $3,000 per violation.
Under the law, a customer is any person who gave private information to the business for the purposes of leasing or purchasing a product or service.
On the other hand, if a business fails to provide the necessary notifications to affected persons following a data breach but can show that its violations were not intentional, willful, or reckless, it may be able to mount a defense against court-imposed penalties.
However, to do this, it must show that it is actively attempting to remedy its past failure by providing sufficient notification within 90 days of discovering the issue.
As the number of data breaches worldwide continues to rise, entities that do business in California must ensure that they're taking reasonable steps to protect the personal identifying information of their customers.
This data includes a wide range of information necessary for the authentication of an individual's identity, often used to access online accounts or to conduct financial transactions.
Most for-profit organizations doing business in California fall under the state's data breach reporting laws.
If a data security breach occurs, businesses must report the breach to all impacted individuals and California's Attorney General if more than 500 people are affected.
Companies that do not report a data breach or delay reporting without just cause may be subject to stiff financial penalties under the law.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
01 July 2022