A New Standard for Data Breach Laws in the U.S.

Cal. Civ. Code § 1798.29; 1798.82 is a security breach notification law that was initially passed in the U.S. state of California in 2003 that has subsequently been amended several times since, most recently in 2020. As California has been leading the charge within the U.S. as it concerns the protection of personal data and privacy, Cal. Civ. Code § 1798.29; 1798.82 is a single part of a larger legal framework that regulates the collection, processing, and disclosure of personal information, in conjunction with the California Privacy Rights Act or the CCPA and the California Online Privacy Protection Act or the CalOPPA. With this being said, Cal. Civ. Code § 1798.29; 1798.82 protects the personal privacy of California residents as it concerns security breach incidents.

How is a data breach defined under the law?

Under Cal. Civ. Code § 1798.29; 1798.82, a security breach is defined as “an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of PI maintained by the Entity.” Alternatively, the law also states that the “good-faith acquisition of PI by an employee or agent of the Entity for the purposes of the Entity is not a breach of the security of the system, provided that the PI is not used or subject to further unauthorized disclosure.” Moreover, as it concerns the scope and applicability of the law, Cal. Civ. Code § 1798.29; 1798.82 applies to “any person, business, or state agency (collectively, Entity) that does business in CA and owns or licenses computerized data that contains PI.”

What are the data breach notification requirements under the law?

Cal. Civ. Code § 1798.29; 1798.82 mandates that any business entity conducting operations within the state provide notification to all affected individuals and parties in the event that a security breach occurs. These notifications must be provided to individuals without undue delay, and provide residents of the state with information including but not limited to:

• The approximate date upon which the notification was issued.
• The approximate, estimated, or estimated range of dates upon which the security breach occurred.
• A general description of the events that caused the breach.
• The types of personal information that were compromised during the breach.
• The name and contact information of the individual or entity that is reporting the breach.
• Whether the notification was delayed as a result of a law enforcement investigation.
• The toll-free numbers of the three major credit reporting agencies within the U.S., if the security breach led to the disclosure of social security numbers.
•  In instances where a breach has occurred due to negligence, an offer to provide appropriate identity theft prevention services, including prevention mitigation services, which are to be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed PI involving social security numbers, driver’s license, or state ID card numbers.

What types of personal data are covered under the law?

Under Cal. Civ. Code § 1798.29; 1798.82, the following types of personal information are legally protected should a security breach take place, in combination with a California resident’s first name or first initial and last name, permitting these data elements have not been rendered unreadable, unusable, or indecipherable through redaction software or some other technological means:

• Social security numbers.
• Drivers’ license and state identification card numbers, tax identification card numbers, passport numbers, military identification card numbers, or any other form of identification number issued in accordance with a government document that could be used to identify a resident within California.
• Financial account numbers and credit and debit card numbers, as well any required passwords, security codes, or access codes that could be used to grant access to an individual’s financial account.
• Usernames and email addresses, in combination with any passwords or security questions and answers that could be used to grant access to an individual’s online account.
• Medical information, including information regarding a California resident’s medical history, treatments or diagnosis, or mental or physical conditions.
• Information that has been collected through the use or operation of an automated license plate recognition system (a searchable computerized database resulting from the operation of one or more mobile or fixed cameras combined with computer algorithms to read and convert images of registration plates and the characters they contain into computer-readable data).
• Biometric identification, including fingerprint, iris images, and retina images, among others.

What are the penalties for violating the law?

Business entities and organizations within California that violate the provisions established in Cal. Civ. Code § 1798.29; 1798.82 are subject to civil penalties, as the law states that “consumers who are injured by a violation of this law have the right to initiate a civil action to recover any damages they suffered as a result.” Furthermore, the California Department of Health and Human Services may also impose the following penalties against healthcare providers within the state that are found to be in violation of the law:

• A monetary penalty of up to $25,000 for each patient whose information was compromised under the law, with total penalties not to exceed $250,000.
• A monetary penalty of up to $17,500 for each subsequent violation of the law.
• Additional monetary penalties of up to $100 for each day in which an affected entity does not provide security breach notifications, after the initial 15 day grace period.

How can businesses within California comply with the law?

As data breaches have become commonplace due to the massive importance that internet usage plays in American society, particularly in the midst of the COVID-19 pandemic, many businesses within the state of California will invariably be faced with situations in which the personal data in their possession is at risk. However, there are remedies that can be used to counter such scenarios, one of which is an automatic redaction software program. Using these software programs, businesses can automatically redact personal information from emails, PDFs, documents, and a wide range of other files types. Whether it be in the form of social security numbers, email addresses, or financial account information, these software programs can be used to protect the personal information of California residents, as cyber thieves will not be able to access the redacted information during their attacks.

Within the past five years, the state of California has made notable efforts to protect the personal data and privacy of their respective citizens through the enactment of various forms of legislation, effectively regulating the collection and processing of personal data within the state in a manner that is unprecedented in the context of U.S. legislation at the state level. As it pertains to security breach incidents, Cal. Civ. Code § 1798.29; 1798.82 was passed for the purposes of ensuring that residents within the state can reduce and mitigate the adverse consequences of being involved in a security breach. More importantly, however, residents within California are provided with yet another means to protect themselves against invasions of their personal privacy.