New California Data Security and Breach Notification Requirements

Bloomberg Law®, an integrated legal research and business intelligence solution, combines trusted news and analysis with cutting-edge technology to provide legal professionals tools to be...

By Lothar Determann

 

Lothar Determann is a data privacy law partner at Baker & McKenzie in Palo Alto, Calif., focusing on international data privacy law. He also teaches data privacy law at the University of California, Berkeley School of Law (Boalt Hall), UC Hastings College of the Law and Freie Universität Berlin. He has authored more than 100 articles and five books, including Determann's Field Guide to Data Privacy Law (2nd Ed. 2015) and California Privacy Law - Practical Guide and Commentary (2016).

On Jan. 1, 2016, three new California data security laws have come into effect, including S.B. 570 (adding requirements to form and content of breach notifications), A.B. 964 (containing a definition of “encrypted”) and S.B. 34 (prescribing requirements for automated license plate recognition systems).1 In 2002, California was the first jurisdiction worldwide to pass a law requiring businesses and government agencies to notify California residents of data security breaches. Since then, most other U.S. states and many foreign countries have adopted similar laws and California has regularly updated its data security breach notification laws.

Who is Protected by California's Data Breach Notification Laws?

All Californians are protected, including consumer customers, employees and residents of California. The heading and other sections of Title 1.81 of the California Civil Code before and after the breach notification statute are focused on “customers” and “customer records,” but the data breach notification statute refers broadly to any “residents of California.”

Residents of other states or countries aren't expressly protected concerning information in the custody of California-based companies. But, de facto, the California law has caused millions of people outside California to receive breach notifications. If companies have to notify some individuals affected by a breach, companies usually notify all individuals worldwide in the interest of liability mitigation and customer relations.

What Data is Protected by California's Data Breach Notification Laws?

“Personal information” is defined to include an individual's first name or first initial and last name in combination with any one or more of the following data elements:

 

•social security number;

•driver's license number or California identification card number;

•account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account;

•medical information;

•health insurance information; and

•effective Jan. 1, 2016, information collected through an automated license plate recognition system.

 

Companies don't have to issue breach notices if either the name or other data elements are encrypted. Effective Jan. 1, 2016, the law defines the term “encrypted” to mean “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” Companies should confirm and document that their encryption methods are keeping up with what is “generally accepted” in the field to be prepared for breach situations.


The information of residents of other states or countries aren't expressly protected when in the custody of California-based companies, but if companies have to notify some individuals affected by a breach, they usually notify all individuals worldwide in the interest of liability mitigation and customer relations.

 


California residents are also protected with respect to user names and e-mail addresses in combination with a password or security question and answer that would permit access to an online account. Regarding such data elements, the California law doesn't distinguish with respect to encryption, because notification duties are triggered only if the information permits access to an online account--and properly encrypted information wouldn't permit access.

Information that is lawfully made available to the general public from federal, state or local government records isn't protected.

Who Must Comply With California's Data Breach Notification Laws?

California government agencies and persons and companies that conduct business in California must comply. Companies headquartered in other states or countries can be covered, too: “Business” includes companies and other entities, “however organized and whether or not organized … under the law of this state, any other state, the United States, or of any other country.”2 Companies that don't conduct business in California don't have to comply. But, companies that own protected information on California residents will typically be conducting some business in the state.

How to Comply With California Data Breach Notification Law?

Companies and government agencies that suffer a data security breach must provide notice in plain language. Title and headings must be clearly and conspicuously displayed. The text shall be no smaller than “10-point type” (but font type isn't prescribed).

Minimum Content. Notices have to cover the following topics under California law: (a) the reporting party's name and contact information; (b) what types of personal information were believed to be breached; (c) a description of the breach incident, including the date range in which it was believed to have occurred; (d) whether notification was delayed due to an investigation by law enforcement; (e) if the breach exposed a social security number or California ID number (including driver's license number); and (f) the toll-free telephone numbers and addresses of the major credit reporting agencies.

New Headings Required. Effective Jan. 1, 2016, companies shall label their notices “Notice of Data Breach” and organize the required information under the headings “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do” and “For More Information.” Additional information may be provided as a supplement to the notice. It is unclear what information companies and agencies have to provide under the header “What You Can Do” because it remains discretionary to provide “advice on steps that the person whose information has been breached may take to protect himself or herself.”3

New Model Security Breach Notification Form. Also new, the California Civil Code now offers a “model security breach notification form.” Companies and state agencies don't have to use this form. But, if they choose to use the form for written notices, provide all required information and comply with the “plain language” requirement, they are deemed to comply with the applicable form requirements.

[NAME OF INSTITUTION / LOGO] _____ _____ Date: [insert date]
NOTICE OF DATA BREACH
What Happened?  
What Information Was Involved?  
What We Are Doing.  
What You Can Do.  
Other Important Information.
[insert other important information]
For More Information. Call [telephone number] or go to [Internet Web
site]

Breaches Affecting Other States, Countries. California's new form requirements and existing minimum content requirements are at odds with some other states' laws, which limit the details companies shall disclose about a breach, in the interest of further investigations. But, for the most part, companies should continue to be able to issue relatively uniform, global breach notices to address requirements in different states and countries pertaining to breaches affecting individuals in multiple jurisdictions.

(Click image to enlarge.)

Jerry Brown

Mass Breaches. If more than 500 California residents must be notified, the California Attorney General must be notified too. If written notice will be too costly, for example in the case of a mass breach, where notification costs would exceed $250,000, or the affected class exceeds 500,000 affected data subjects, the reporting party can use substitute notice: (1) e-mail notice if available; (2) conspicuous notice on the website; effective Jan. 1, 2016 and according to Assembly Bill 570 such notices must be posted for a minimum of 30 days and “conspicuous posting” shall mean “providing a link to the notice on the home page or first significant page after entering the Internet Web site that is in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the link;” and (3) notification to major statewide media.

Breach Defined. Under California law, “breach of the security of the system” means any “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.” Sometimes companies are confronted with a situation where they identify a security weakness, but don't know whether the weakness was actually exploited. If unauthorized access took place, they have to notify; if not, they don't. Companies aren't required to notify in cases of mere suspicion or even in cases of reasonable belief that unauthorized access has occurred. If a breach has occurred, companies must notify every “resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person” (emphasis added). But the duty to notify individuals who are believed to have been affected applies only if unauthorized access actually took place.

In uncertain situations where it isn't clear whether unauthorized access actually occurred, companies must make a judgment call. If, out of an abundance of caution, they notify in situations where a breach didn't actually occur, they may unnecessarily incur costs and reputational damage, cause data subjects to incur more anxiety and costs than warranted, and cause credit card companies, credit bureaus and others to incur costs associated with requests for credit reporting freezes or issuance of new cards and other protection measures. On the other hand, if companies decide not to issue notifications in uncertain situations, they may incur even greater costs and reputational damage if it later turns out that a breach actually did occur and data subjects or others bring claims against the company challenging the original decision and demanding compensation for damages that could have been prevented by risk mitigation measures had the company issued breach notifications earlier.

Good Faith Access by Unauthorized Employees. Good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business isn't a breach of the security of the system, provided that the personal information isn't used or subject to further unauthorized disclosure. Also, companies have some leeway in determining which employees are authorized to access certain data and can clarify the situation by issuing written instructions after the fact, for example, by confirming to an employee that she was authorized to access the data in the past but shall no longer be authorized to access the data going forward.

Account Credentials Compromise. If a breach involves only user names and e-mail addresses, in combination with passwords or security questions and answers that would permit access to online accounts, companies and government agencies should take all steps necessary to ensure that passwords are reset. In such an event, companies and agencies may not have to notify the affected data subjects about all details of the breach if no other data categories are affected and if they direct the data subjects to change passwords and security questions/answers and take other steps appropriate to protect the affected online account and other online accounts for which the same credentials are used; if they notify the affected data subjects by e-mail, they must not send the notice to the compromised e-mail account.


If a company unreasonably delays notice when there's a data breach, it can be held liable under the California breach notification statute based on a general negligence theory, but there isn't a concrete deadline or safe harbor that companies can rely on for their decision about when to notify.

 


Timing. Companies and government agencies must issue data security breach notifications “in the most expedient time possible and without unreasonable delay” and “immediately following discovery,” but may delay notification if “a law enforcement agency determines that the notification will impede a criminal investigation,” so long as the notification is “made promptly after the law enforcement agency determines that it won't compromise the investigation.” For risk mitigation purposes, companies should try to obtain written guidance from law enforcement agencies about delaying notification, which law enforcement agencies tend to be reluctant to provide in practice, unfortunately.

If a company unreasonably delays notice, it can be held liable under the California breach notification statute based on a general negligence theory. But, unlike other states' statutes, the California data breach notification statute doesn't specify a concrete deadline or safe harbor that companies can rely on for their decision about when to notify.

In 2014, Kaiser Foundation Health Plan Inc. agreed to pay $150,000 to settle a lawsuit filed by California Attorney General Kamala Harris over a three-month delay in telling employees that a hard drive containing more than 20,000 workers' personal information was sold in a thrift store .4 Also in 2014, a California court dismissed class action claims against Sony relating to a data security breach of the Sony PlayStation Network for failure to state a claim, because plaintiffs had not substantiated an injury caused by the fact that Sony took 10 days to notify after Sony became aware of the breach.5

Data Processors. The agency, person or company that owns the data (i.e., the data controller) must issue the notification to the affected data subjects. A service provider that handles data for other companies (i.e., a data processor) must notify only the data controller.

Identity Theft Protection. If the company providing the notice was the source of the breach and chooses to offer appropriate identity-theft prevention and mitigation services, it must offer them at no cost for at least 12 months. Companies aren't obligated to provide identity theft protection, but if they choose to, they may have to offer protection free of charge.

No Waivers. As a matter of public policy, California Civil Code Section 1798.84 expressly prohibits waivers regarding California's data security breach notification laws. Therefore, companies cannot limit their liability or disclaim responsibility to issue breaches by way of contract.

What Sanctions and Remedies Apply?

California residents are entitled to damages and injunctions if companies violate data security breach notification requirements, but California breach notification laws don't generally provide for sanctions or remedies for the breach itself. As an exception to this rule, Senate Bill 34 adds a right to private action and claims for liquidated damages in the amount of $2,500 to any other sanctions, penalties and remedies for data subjects who are harmed by a knowingly committed violation of California laws regarding automated license plate recognition systems, including data security breaches affecting such data.6

What Other New Rules Apply to License Plate Systems in California?

In 2015 California followed more than a dozen other States that had already enacted laws regulating the operation and use of automated license plate recognition (ALPR) systems. Effective January 1, 2016, Senate Bill 34 adds new Sections (§§1798.90.5-54) to the California Civil Code, according to which operators and users of ALPR systems have to comply with specific data security requirements and notify data subjects in case of a data security breach.

Law enforcement, other government agencies and private sector companies operate ALPR systems with mobile or fixed cameras that automatically scan and identify any license plate within range. Some ALPR systems can scan up to 2,000 license plates per minute. In the private sector, ALPR systems are used for example, to monitor parking facilities, identify vehicles for repossession and monitor access to gated communities. With billions of license plate scans and associated data, agencies and companies can track movements of cars and people more generally, for example to asses driving habits and behavioral patterns, including visits of churches, political protests, union gatherings, addiction counseling meetings, physicians, psychiatrists, attorneys, doctors, etc.

Who and What Data is Protected?

Protected is data that any person collects through an ALPR system and any person who is harmed by a violation of the California ALPR law. The statute doesn't specify any geographic limitations on its applicability. Thus, California residents may be protected against violations by persons within and outside of California and residents of other states or countries may be protected against violations by persons, companies and agencies that are based in California.

Who Must Comply?

Any company, government agency or person must comply if it uses or operates an ALPR system, i.e., a searchable computerized database resulting from the operation of one or more cameras combined with computer algorithms to reach and convert images of registration plates and the characters they contain into computer-readable data. Since the statute doesn't specify any geographic limitations on its applicability, persons acting outside of California may be held responsible under the ALPR California law if and to the extent they capture California license plate information and harm California residents.

How to Comply?

Companies and agencies that operate or use ALPR systems must maintain certain prescribed security procedures and practices and publish details in a privacy policy that must contain certain specified information and be published on the organization's website, if any. The usage and privacy policy shall, at a minimum, include all of the following:

•The authorized purposes for using the ALPR system and collecting ALPR information;

•A description of the job title or other designation of the employees and independent contractors who are authorized to use or access the ALPR system, or to collect ALPR information;

•The training requirements necessary for those authorized employees and independent contractors;

•A description of how the ALPR system will be monitored to ensure the security of the information and compliance with applicable privacy laws;

•The purposes of, process for, and restrictions on, the sale, sharing or transfer of ALPR information to other persons;

•The title of the official custodian, or owner, of the ALPR system responsible for implementing this section;

•A description of the reasonable measures that will be used to ensure the accuracy of ALPR information and correct data errors; and

•The length of time ALPR information will be retained, and the process the ALPR operator will utilize to determine if and when to destroy retained ALPR information.

 

An operator of an ALPR system must keep access logs and require users to comply with usage limitations set forth in the California ALPR law and the operator's privacy policy.

Government agencies may not sell, share or transfer ALPR information, except to other government agencies and as otherwise permitted by law and the government agency's ALPR privacy policy. A private sector company can sell, share or transfer ALPR information in compliance with the company's ALPR privacy policy.

Government entities that operate or intend to operate an ALPR system must provide an opportunity for public comment at regularly scheduled public meetings before implementing the program.

Risk Mitigation. Proactively, companies can take steps to reduce the risks of data security breaches occurring and prepare themselves with policies on how to respond to incidents. The California breach notification laws don't expressly require such steps, but companies can avoid having to comply with breach notification laws by encrypting data, minimizing data collection, training employees, contractually obligating vendors to strict data security practices and by taking other steps.7

1 Each Bill changes California Civil Code Sections §1798.29 and §1798.82. S.B. 34 adds new Sections §§1798.90.5-54 to the California Civil Code.

2 Cal. Civil Code §1798.80.

3 Cal. Civil Code §1798.82(d)(3)(B).

4 Joyce Cutler, Kaiser hit to Pay $150,000 to Settle California Attorney General Breach Notification Lawsuit, 13 PVLR 220.

5 In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942, 965, 1009-10 (S.D. Cal. 2014) .

6 Cal. Civ. Code §1798.90.54.

7 For more information, see Lothar Determann, California Privacy Law--Practical Guide and Commentary, Chapter 7 - Risk Mitigation, pp. 431 et seq. (2016).

 

Request Bloomberg Law