In the past I have done a deep dive on California’s Data Breach Notification Law and called for specific enhancements to it. I have also banged the drum for a while now for a national data breach law.  Considering the recent SolarWinds and Colonial Pipeline attacks there is finally some momentum for a national data breach notification law. But even if a federal law were to come into being there needs to improvements to the California Data Breach Notification law and better alignment with the California Privacy Rights Act. I first provide a background on the why and what should be done to the California Data Breach Notification Law and then provide the proposed edits to the law itself.

Background

Cybersecurity is not only a national security issue given recent attacks on our election system and critical infrastructure by nation states and organized crime, but increasingly a kitchen table issue for Californians.  Californians now must grapple with the impact of their financial, medical and other personal data being stolen and compromised via a growing number of data breaches of corporate and government organizations, while at the same time trying to continuously avoid the growing minefield of phishing, malware and other types of cyberattacks that indiscriminately target them in their daily use of the Internet.

California was the first state to introduce a data breach notification law, but unfortunately many breaches are going unreported, leaving Californians in the dark regarding if their most sensitive personal information is in the hands of hackers.

The current California Data Breach Notification (CalDBNL) law has a much narrower definition of personal information and does not reflect a more up-to-date view of personal information that the newly passed California Privacy Rights Act (CPRA) reflects, e.g. it misses items in the CPRA definition of personal information such as internet activity information and commercial information such as purchasing histories, as well as “sensitive personal information” including genetic information and email and text messages. 

Having consistency on what constitutes personal information would be helpful to businesses.  It would also advantage consumers in that businesses would find less loopholes regarding if a breach should be reported or not, thereby forcing businesses to more accurately report their breaches.

Furthermore, enforcement of the CalDBNL should also be centralized with the new California Privacy Protection Agency (CalPPA).  The CalPPA has responsibility for enforcing and regulating whether “a business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure.”  Given that breaches are typically about the theft of personal information and a breach is a key indicator if a business is implementing proper security procedures or not, it better fulfills the intent of the CPRA for the regulators of these inter-related matters to be one and the same.

Europe’s privacy law (the General Data Protection Regulation or GDPR) requires businesses to report breaches to their country’s “supervisory authority” (an EU member state’s regulatory agency akin to California’s PPA), so having enforcement of breach notification under CalPPA would also parallel standard operating procedures for countries that have a comprehensive privacy law.  i.e., it is best practice to have breach notification and privacy enforcement under the same regulatory body.

Coupled with my proposal for enhancing and aligning the Data Broker Registry Law with the CPRA, what I am advocating is regulation of privacy, data broker registration and data breach notification to be under the umbrella of the California Privacy Protection Agency.  It just makes sense as regulation of data brokers and data breaches also involve consumer privacy information.

Proposed Changes to California Civil Code section 1798.82

Given the length of California Data Breach Notification Law, I am just providing the changes to the relevant sections.  Changes are in bold and in red with color commentary in brackets [ ].

1798.82.  

[the edit below changes the notification to the California Privacy Protection Agency from the Cal AG office]

(f) A person or business that is required to issue a security breach notification pursuant to this section to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General California Privacy Protection Agency.  A single sample copy of a security breach notification shall not be deemed to be within subdivision (f) of Section 6254 of the Government Code.

[the edit below aligns the definition of personal information to be the definition found in the CPRA, thereby casting a wider net on what should be reported to the State of California]

(h) For purposes of this section, “personal information” has the meaning provided in subdivision (v) of Section 1798.140. means either of the following:

(1) An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

(A) Social security number.

(B) Driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.

(C) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

(D) Medical information.

(E) Health insurance information.

(F) Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes.

(G) Information or data collected through the use or operation of an automated license plate recognition system, as defined in Section 1798.90.5.

(2) A username or email address, in combination with a password or security question and answer that would permit access to an online account.

(i) (1) For purposes of this section, “personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

(2) For purposes of this section, “medical information” means any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.

(3) For purposes of this section, “health insurance information” means an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records.

(4) For purposes of this section, “encrypted” means rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.

[the addition below gives the CalPPA regulatory and rule making power in the area of data breach notification, thus allowing the State of California to better react to changes happening with hacks.]

(l) On or before July 1, 2020, the California Privacy Protection Agency shall solicit broad public participation and adopt regulations to further the purposes of this title.