California Data Security Breach Reporting Requirements

It's likely that you already know what a data breach is and why it's bad. Stolen computerized data can compromise the integrity, confidentiality, and security of your entire organization.

Of course, the implications of a breach like that could be profound. That's why preventing them has become the focus of legislation across the United States over the past few years.

In fact, all 50 states, including U.S. territories and the District of Columbia, now have data breach notification laws. California's laws on the subject are considered to be the most strict.

In light of that fact, companies that do business in California would do well to consider the following information.

History of Data Breaches in California

In almost every state throughout America, hackers and others of ill intent breached the security of an incredible number of organizations over the last five years. For example, in 2016, California based Yahoo experienced a massive data security breach wherein online thieves stole around 500 million users' private information.

The thieves were so good that Yahoo didn't even recognize the breach occurred two years before it was discovered. Thankfully, the vast majority of consumers who were impacted did not face insurmountable consequences.

Be that as it may, for Yahoo and other organizations affected over that time frame, the cost in lack of trust and other damages is estimated in the trillions of dollars.

That was back in 2016.

However, that's nothing when one looks at the total number of data breaches experienced by California based companies from 2005 to 2019.

As Security Magazine reported, citing a study by Omnisend, "Housing some of the largest companies in the world, California saw the most data breaches by state with a total of over 5,750,000,000 data breaches. This alone made up for 56% of America's total cases from 2005 to 2019."

It's no wonder then that the state's legislature decided to pass legislation to force companies to take responsibility for the safety of their customers' private information.

Today, California's data breach regulations and reporting requirements are based on the California Consumer Privacy Act (CCPA). Governor Jerry Brown enacted the legislation on June 28, 2018.

Even so, in 2020, California's Attorney General received over 97 individual reports of data breaches! For instance, one of those was one of the most significant data breaches of a health organization ever.

Health IT Security stated that:

Health IT Security article: 10 Biggest Healthcare Data Breaches of 2020 - Ambry Genetics excerpt

Since then, announced that Ambry Genetics has become the subject of a proposed class-action lawsuit filed due to the aforementioned data breach.

The CCPA brought noteworthy changes to the state's then-existing data breach laws (precisely, Part 4 of Division 3 of the California Civil Code) and heralded higher standards, demanding strict adherence.

Data Security Responsibilities

If your business owns, licenses, or maintains Californian consumers' private information, you have a responsibility to protect that data.

According to Californian state law, you must put reasonable security practices and procedures in place to ensure the protection of personal identifying information (PII) from being accessed, destroyed, used, modified, or disclosed by unauthorized individuals.

Suppose you retain an individual's "PII" in an internal account for a purpose, such as conducting transactions. In that case, retention of data falls under the definition of "owning" and "licensing" it according to the law.

If you disclose PII to a third party, you must have a contract with that party, which stipulates that they must also put the same sort of reasonable security procedures and practices in place that you have.

Your responsibility begins the moment you first acquire PII. That responsibility remains until that private data is disposed of properly. Reasonable steps for disposing of customer records include:

  • Shredding
  • Modification of the records (in such a way that the information becomes indecipherable or unreadable)
  • Total erasure of data

Businesses are allowed to take whatever actions they deem necessary to dispose of PII properly.

What Kind of Data Must Be Protected?

Personal identifying information (PII) under the law includes a person's first name or first initial and last name put together with one or more of the following:

  • Username or email address together with a password or security question and answer, which provides access to an online account
  • Any information collected through the operation or use of an automated license plate recognition system
  • Health insurance information (health insurance policy number, subscriber identification number, any information in an individual's application and claims history, any appeals records, and any unique identifier used by the health insurer to identify the individual)
  • Medical information (any information regarding a person's medical history, physical or mental condition, diagnosis or medical treatment by a healthcare professional)
  • A credit card, debit card, or account number in combination with any required password, security code, or access code, which provides access to a person's financial information
  • A driver's license number
  • A California identification card number
  • A Social Security number

The definition of PII was amended and now also includes the following:

  • Unique biometric data that is generated through technical analysis of human body characteristics or measurements of things such as an individual's iris image, retina, or fingerprint, and which is used to authenticate the identity of a particular person
  • Tax identification number
  • Passport number
  • Military identification number
  • Any other unique identification number issued on a government document, which is commonly used to authenticate the identity of a particular person

It's important to note that PII doesn't include publicly available information made available through local, state, or federal government records.

Additionally, the definition of unique biometric data doesn't include digital or physical photographs unless stored or used for facial recognition purposes.

Who Must Report a Data Breach?

According to the CCPA, you must report a data breach if your company does business in California and you own, license, or maintain Californian consumers' private information.

With that said, the definition of a business under California's data breach law includes any group that:

  • Holds an authorization certificate, license, or is chartered under the laws of any U.S. state, the federal government, or foreign nation, and
  • Is a sole proprietorship
  • Partnership
  • Corporation
  • Association
  • A financial institution, or
  • Any entity, which disposes of records

Exemptions from the Law

Some businesses are exempt from California's data breach notification law. These include the following:

  • Entities that acquire data under an agreement approved by the vehicle code and which are subject to the vehicle code's confidentiality requirements
  • Businesses that fall under HIPAA's security and privacy rules (Health Insurance Portability and Accountability Act of 1996)
  • Financial institutions that fall under the California Financial Information Privacy Act
  • Healthcare providers, such as contractors that are regulated by the Confidentiality of Medical Information act
  • Any business, which may be regulated by state or federal legislation that provides greater protections to a consumer's PII than California's data breach law

Data Security Breach Reporting Requirements

In California, any unauthorized procurement of computerized information, which compromises the integrity, confidentiality, or security of PII maintained by a business or individual, constitutes a data security breach.

To determine if a breach occurred under the law, you must know whether the data in question was unencrypted or encrypted.

If the information was unencrypted, then you must give notification if you believe that information was obtained by any unauthorized person.

If the information was encrypted, then you must give notification if:

  • You believe any unauthorized person obtained the information
  • The encryption security credential or the key was (or you think that it may have been) obtained by any unauthorized person, and
  • The encryption security credential or the key could make the stolen PII readable or usable

Who Must Be Notified of a Breach?

You must report a data security breach to those whose information was compromised because of that breach. Additionally, businesses must notify the California's Attorney General's office if the data breach impacts more than 500 California residents.

When contacting the Attorney General, businesses provide a sample copy of the notification they send to affected individuals.

If a business is a third party that maintains PII but does not own or license it and there is a data breach, it must immediately inform the entity that owns or licenses that data.

What Must a Data Breach Notification Contain?

A data breach notification must be written in plain and easy language to be considered valid. It must be titled "Notice of Data Breach." Additionally, the notification must include the following information (provided that information is available to the business at the time notification is sent):

  • The contact information and name of the company or person reporting the data breach
  • A list of all the types of PII believed to have been compromised
  • The date or estimated range of dates wherein the data security breach occurred
  • Whether a law enforcement investigation delayed notification
  • A general description of the data breach incident
  • Toll-free numbers and addresses for all three major credit reporting agencies (if the breach exposed a California identification card number, driver's license number, or Social Security number)
  • An offer to provide suitable mitigation services and identity theft prevention for impacted persons for at least a year (if the entity providing notification was also the source of the data breach), and
  • Instructions on how individuals can take advantage of the year-long mitigation and identity theft prevention services offered

Recommended Additional Notification Content

Although not mandatory, it's recommended that you include the following information in any data breach notification your business sends:

  • Advice on steps impacted persons can take to protect themselves
  • Information about what steps the business has taken or will take to protect affected individuals from future data breaches

When to Send the Data Breach Notification

In theory, you must report a data breach as soon as possible once you become aware that a breach occurred.

However, delays might occur if, for example, you must cooperate with a law enforcement investigation or if you need to restore the integrity of your data system, or if you must determine the overall scope of the breach.

Those delays need to be factored into the exact timing of your notification.

How to Send a Data Breach Notification

Reporting a data security breach can be done by sending it electronically, in print, or through a substitute notice.

Using electronic notices is fine as long as you meet all formatting, content, and timing requirements. Additionally, electronic notifications must follow federal rules concerning electronic signatures and records in commerce.

If you choose to use a substitute notice, it must include the following to be considered valid:

  • Reporting to major media throughout the state
  • For 30 days minimum, a conspicuous posting of the notice on the business's website if the company maintains one. (A conspicuous posting means one that is easily seen and where a link is provided to the notice on the business's home page or first important page after a visitor enters the website. Additionally, the link must use a contrasting color, font, or type to that of all surrounding text so that it stands out. You can also use other marks or symbols surrounding the link to draw attention to it, and
  • An email notice (if the business as email addresses for impacted persons)

A business may also provide a substitute notice if it can demonstrate that it would cost more than $250,000 to give notice through print, or if there are more than 500,000 individuals affected by the data breach, or if the business doesn't have adequate contact information.

Penalties for Not Reporting a Breach

Businesses that don't comply with the requirements for reporting data breaches as outlined above may be forced by a civil court to pay damages and penalties to injured customers.

Depending on the extent of injury or harm caused to the affected individuals, a court may impose a penalty of $500 per violation. On the other hand, if it can be shown that a business's actions were reckless or intentional, then the penalty could go up to $3,000 per violation.

Under the law, a customer is any person who gave private information to the business for the purposes of leasing or purchasing a product or service.

On the other hand, if a business fails to provide the necessary notifications to affected persons following a data breach but can show that its violations were not intentional, willful, or reckless, it may be able to mount a defense against court-imposed penalties.

However, to do this, it must show that it is actively attempting to remedy its past failure by providing sufficient notification within 90 days of discovering the issue.


As the number of data breaches worldwide continues to rise, entities that do business in California must ensure that they're taking reasonable steps to protect the personal identifying information of their customers.

This data includes a wide range of information necessary for the authentication of an individual's identity, often used to access online accounts or to conduct financial transactions.

Most for-profit organizations doing business in California fall under the state's data breach reporting laws.

If a data security breach occurs, businesses must report the breach to all impacted individuals and California's Attorney General if more than 500 people are affected.

Companies that do not report a data breach or delay reporting without just cause may be subject to stiff financial penalties under the law.