Security Data Breach Notification: California Law Updates

Recently, there has been a crackdown on companies getting personal information from their consumers. This personal information includes factors such as age, income, and members in the household. These types of personal information are also referred to as personal identifying information, or PII. It is very important for consumers to understand their privacy rights, and seek justice if there has been unauthorized use of their information. if you believe that your personal data has been breached, get in touch with an experienced data breach privacy lawyer from Heidari Law Group today.

Many states have been creating laws to deter companies from obtaining these types of information, citing to an invasion of privacy. On September 11, 2019, a bill that specifically referred to this matter was passed in California. It was Introduced to the California General Assembly by California Attorney General Xavier Becerra. Once the bill was passed, the Act was then referred to as the California Consumer Privacy Act Amendments. There was already the California Consumer Privacy Act put in place a couple years back, however many lawmakers believed that it was not as stringent as it could be. under AB 1130 personal identifying information included someone’s first name, last name, social security number, driver’s license number, and medical information. Further, a person’s email address, username, password, and a security question has also been added to be a personal identifying information. Under the law, any type of information that could be obtained through public records is not considered a personal identifying information.  After this law was passed in 2019, the law became more broader and included information such as fingerprints, eye scans, tax identification numbers, and passport numbers.

The specific California Data Security Breach Notification law reads:

“California law requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person. (California Civil Code s. 1798.29(a) [agency] and California Civ. Code s. 1798.82(a) [person or business].)”

“Any person or business that is required to issue a security breach notification to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. (California Civil Code s. 1798.29(e) [agency] and California Civ. Code s. 1798.82(f) [person or business].)”

This above law took effect starting January 1st 2020.

What Is a Data Breach?

Under the California data security breach law, a security breach is the unauthorized access to computerized data of a company that includes personal identifiable information of specific consumers. This includes confidential information, along with going around security walls put in place. This is essentially when one person hacks a company to get access to personal information. There are different ways a hacking could take place, which include, but are not limited to:

• When a business reasonably believes that an unauthorized person has gained access to information
• The security program put in place to secure the information has detected some form of unauthorized hacking
• The encryption key, also known as the security password, has been used, leading the company to reasonably believe that there has been a breach

What Do Businesses Need to Do?

The businesses that need to collect personal information must show that they have a valid contract with a third-party, and must specify who the third party is has also has access to this information. The reason for collecting this information must be for good cause. The third party must also have security procedures and practices put in place to protect this information.

Protecting personal information may include business practices such as shredding physical documents, deleting and refreshing personal data documents, and making documents encrypted and difficult to be hacked into. There is no bright line rule as to what businesses need to do to secure this information, however businesses must “reasonably” protect this data through any means.

What Is a “Business”?

When the law states that businesses must protect this information, the definition of business refers to sole proprietorships, corporations, partnerships, and any type of Institution. This is a very broad category that includes almost every entity. A “consumer” is considered to be any California resident. A California resident should be domiciled in California, and someone who has left the state temporarily is still covered under this law.

But some businesses do not need to adhere to the California breach notification law. These businesses include healthcare providers, specific financial institutions under the California Financial Information Privacy Act, and businesses that are regulated by federal laws.

If there is a data breach, businesses need to send out notices to California residents if more than 500 California residents have been affected. Another way a resident can check if their data has been breached is by checking the data security breach search page. Once visitors go onto to the site, they can type in the organization name, and the date of the breach range. They can then check if their data has in fact been breached or used in any way.

How Should a Company Notify Its Consumers?

The California Data Breach Law requires that these businesses give written notice to their consumers if there has been an unauthorized data breach. Businesses have to give notice to those people whose data has in fact been breached. The company needs to send out these notices to the consumers as soon as possible. Before sending out these notices, the companies should notify law enforcement. If there has been more then 500 people whose data has been breached in one instance, the business is also required to notify the California Attorney General. The notice of data breach sent to consumers must include:

• The contact information of the business
• The date of when the breach occurred
• The type of personal identifying information that has been taken
• How the breach incident occurred
• Services to mitigate the identity breach
• Identity theft provision services
• what the company has done to prevent further breaches (optional)
• What individual should now do moving forward (optional)

Besides these above factors, there are several other factors that are required depending on the situation. It is important to seek the advice of an experienced business attorney to determine how to notify consumers properly to avoid any future lawsuits.

What This Means for You

If you are a consumer who has recently had your data breached, you should seek the advice of an experienced business attorney immediately. You can request a free consultation at our firm at Heidari law to determine if your data has in fact been breached, and what your legal options are. We have offices located in all major cities, including Los Angeles, Irvine, Las Vegas, and Sacramento.

You are a business and believe you fall under this law, contact our attorneys for assistance on securing data and for legal assistance navigating through a data breach. Privacy laws are constantly changing, and so is important for businesses to keep themselves informed of any new laws. California and Nevada have been pushing for privacy laws in the recent years, and so it is always evolving. New requirements are constantly being placed on businesses. It is important to have a legal team you can call on for advice on how to proceed with consumer privacy, protection, and security issues.

***Disclaimer: This blog is created by Heidari Law Group for educational purposes. This article provides a general understanding of the law. It does not provide specific advice. By using this site and reading through this blog, there is no attorney-client relationship created between you and any member of Heidari Law. Further, due to the constant change of the law, some parts of the information above may no longer be good law.