Drilling Down on the California Breach Notification Law
As I shift from talking about the EU’s GDPR to talking about the California Consumer Privacy Act (CCPA), I need to first drill down a bit on the first data protection law passed in California. This was the California Breach Notification Law (“CalBNL”) that was passed as California Senate Bill 1386 (SB 1386) in February of 2002 and went into effect in July of 2003.
CalBNL was also the first data breach notification law in the world. Unlike the GDPR, which is a standalone net new regulation, CalBNL adds to and amends various existing sections of the California Civil Code. The ones we care about for this blog vis a vis breaches of businesses are sections 1798.82 and 1798.84 (note the law also covers notification re: breaches involving State agencies, with the corresponding section 1798.29 being added).
Digression: What’s the “Cal. Civ. Code” and this Weird § Symbol?
Now probably when you read the expression “Civil Code” and then some 4-digit number with two decimal points, you get lost like I did initially. Well, the California Civil Code (often referred to as “Cal. Civ. Code”) is one of the 29 California Codes of law, and one of the first 4 originally enacted in 1872 (another one of the original 4 Codes was the Penal Code).
The Cal. Civ. Code laws are broken into three main “Divisions” re: 1. Persons, 2. Property and 3. Obligations. Eventually laws that passed by the legislature and signed by the Governor either amend or add one or more sections of the 29 Codes (note the word “Section” will often be represented as the symbol §, which not to be confused with the symbol that Prince the musician gave himself for a period of time).
For example, under the Cal. Civ. Code the laws regarding “Obligations” are filed as sections 1427-3273 (and note the symbol for sections, i.e. multiple sections, is §§). Like a library filing system, each section of California law are categorized in a Code (e.g. the “Civil Code”), then a Division (e.g. “Obligations”), then categorized into Parts (e.g. “Contracts”), then Titles (e.g. “Interpretation of Contracts”), then even potentially Chapters and then even Articles before you get to the individual sections of law.
So it turns out that when this CalBNL law added/amended Cal Civil Code §§ 1798.82 and 1898.84, it amended sections of the Cal. Civil Code regarding “Obligations,” in the Part regarding “Obligations Arising from Particular Transactions,” and in the Title regarding “Customer Records” which includes sections (i.e. §§) 1798.80-1798.84. So CalBNL involves obligations involving transactions having to do with customer records.
The sections have been amended through the years, including most recently in October of 2019 when passports and other government IDs as well as biometric identifiers were added as examples of personal data covered by CalBNL.
Now to the CalBNL Itself
Sorry for that digression. Below is a cheat sheet ala what I did with GDPR, but here is the executive summary / key takeaways:
Personal information is the normal stuff one would expect but also includes username/passwords and security questions — this is a great add to the CalBNL as its critical to notify people of a breach of this information as many people share the same username/password across multiple web properties
a business is off the hook if the breached personal information is encrypted with the exception that if the encryption key was also stolen
California gives *very* prescriptive and straight-forward guidance on the form of notification, down to the size of the font — here is a recent example of a breach notification letter that was sent out and provided to the California Attorney General. And another example, they basically look exactly the same.
California requires businesses to provide “appropriate identity theft prevention and mitigation services” for up to 12 months
If your business is a covered entity under HIPAA, and you follow the HIPAA rules for data breach notification, you don’t have to reinvent the notification wheel for California
Furthermore, if a business has their own notification procedures as part of your security policy that your business follow, and is consistent with the timing requirements that California sets forth, that business is also off the hook to do a duplicate California notice
A business is required to notify the California Attorney General if more than 500 California residents were impacted.
The above provisions were spelled out in Section 1798.82. When it comes to any penalties, they are found in 1798.84. Specifically, California residents injured by a violation of this law may institute a civil action to recover damages, i.e. they have a private right of action. And any business that violates, proposes to violate, or has violated this law may be enjoined. But not specific penalty $-wise is called out.
Those are the main elements.
But I have a gnawing feeling that many breached companies are complying with the mandatory AG reporting, part of which probably has to do with that there is not the threat of big fines out there. This dovetails with a prior blog post I wrote entitled The Need for a Comprehensive Breach Notification Law. I plan to drill down on that a bit more in my next blog post.
California Data Breach Notification Law Cheat Sheet
Topic
California Data Breach Notification Law Provision
Effective Date
July 1, 2003 and amended as recently as October of 2019
Definition of Breach
"Unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business." Good faith acquisition of personal information by an employee and not subject to an unauthorized disclosure does not count as a data breach.
Definition of Personal Information
Either (a) an individual’s first name or first initial and last name in combination with data elements including Social Security number, Tax ID, passport number and/or other forms of government ID as well as credit/debit card number, medical and health insurance info and unique biometric data OR (b) "a username or email address, in combination with a password or security question and answer that would permit access to an online account."
If the data elements are encrypted in (a) then not considered personal information that has been breached.
Entities Covered
Any "person or business that conducts business in California, and that owns or licenses computerized data that includes personal information."
Notification Trigger
Covered entitites must "disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California." Notification may be delayed if "a law enforcement agency determines that the notification will impede a criminal investigation."
Notification Requirements
Must be in plain language. Must clearly be titled "Notice of Data Breach." Must have specified headings and follow prescribed format. Must have text no smaller than 10-point type. Must offer identity theft protection for 12 months. If a username/password breach, must also give guidance on changing passwords on other websites etc.
How to Notify
Written or electronic or substitute method if cost > $250k which could be include email, conspicous posting or notification to major statewide media
Attorney General Notification
Must notify the AG if greater than 500 California residents impacted, with a sample notification. Note if you go to the AG website at https://oag.ca.gov/privacy/databreach/report-a-breach, the AG office also ask the business for more information on the breach for law endorcement purposes, including the type of breach (insider, hacking or malware, etc.)
HIPAA Carveout
If your business is a "covered entity" under HIPAA and you have complied with notice requirements under Section 13402(f) of the federal Health Information Technology for Economic and Clinical Health Act (Public Law 111-5), then you don't have to also do the California notification requirements
Following Pre-Existing Security Policy for Notification Carveout
If a business "maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this part" then it shall " be deemed to be in compliance with the notification requirements"
Penalties
Residents injured by a violation of this title may institute a civil action to recover damages, i.e. have a private right of action. And any business that violates, proposes to violate, or has violated this title may be enjoined. But no specific penalty is called out.