On January 1, 2016, new data breach notification laws in California came into effect. All agencies doing business in the state of California must comply with the new laws if a data breach is suffered that exposes personal information of state residents. Cal. Civ. Code § 1798.29(d)(1)(D)
Data Breach Notification Laws in California Come into Effect
The new data breach laws in California apply if data is either exposed, or is reasonably believed to have been exposed or acquired by an individual who is unauthorized to view the data. An agency that has suffered a data breach must notify all affected individuals without unreasonable delay, and the breach notifications must follow a new, standardized format.
Information That Must be Included in a Californian Data Breach Notification Letter
The data types that have been exposed must be mentioned along with an exact date of the breach. If an exact date cannot be determined, the estimated date that the breach is believed to have occurred should be mentioned.
While notification letters must be issued promptly, this should not place any criminal investigation in jeopardy. Businesses can therefore delay the issuing of notifications if they have been instructed to do so by law enforcement so as not to impede an investigation. If the issuing of letters has been delayed at the request of law enforcement officers this should be clearly stated in the notifications.
The breach notice must be written in text with a font size of 10 point or higher. A contact telephone number or link to the company website must also be included under the heading “For More Information.”
The breach notification must contain the title, “Notice of Data Breach,” must be written in plain language, and all information must be listed under the relevant headings indicated below:
Californian Data Breach Notification Template
Title: Notice of Data Breach
Subheading 1: What Happened?
Subheading 2: What Information Was Involved?
Subheading 3: What are We Doing?
Subheading 4: What Can You Do?
Subheading 5: Other Important Information
Subheading 6: For More Information
A written notice should be issued, although it is permitted under the new data breach notification laws in California to send a breach notification via email, in accordance with Section 7001 of Title 15 of the United States Code. However, an email notice is not permitted if the email address was compromised in the breach.
If the data breach affects more than 500 individuals the State attorney general must be sent an electronic sample copy of the breach notification letter. If the agency in question maintains a website, a notice should be posted in a conspicuous position on the website for a period of no less than 30 days. The link to the breach notice should be posted on the company’s home page in larger font than standard text on the page, or a contrasting color should be used to make it stand out.
Further information on the new data breach notification laws in California can be found here
HIPAA Breach Notification Rule: Exposure of Protected Health Information by a Covered Entity or Business Associate
Under HIPAA Rules, if a data breach is suffered by a covered entity or business associate of a covered entity, and the information exposed falls under the classification of Protected Health Information as defined by the Health Insurance Portability and Accountability Act, the agency must also notify the Department of Health and Human Services’ Office for Civil Rights within 60 days if the breach involves more than 500 records. Notification should be issued to OCR within 60 days of the following December 31, if the breach involves fewer than 500 records. (45 CFR §§ 164.400-414)