The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.
The information provided in the map is meant to serve as a helpful guide and is not intended to be legal advice.
California
Data Breach Notification Statute
Highlights
Covered Entities: Persons or businesses that conduct business in California, and agencies, that own or license computerized data that includes personal information.
Consumer Notification: Notification must be provided to any California resident whose “unencrypted personal information was, or is reasonably believed to have been, acquired” without authorization.
Regulatory Notification: Notification must be provided to the California Attorney General where “more than 500 California residents” are required to be notified of a breach.
Notification Timeline: Notification must be provided “in the most expedient time possible and without unreasonable delay …”
Data Format: Electronic.
Citations: Cal. Civ. Code §§ 1798.29, 1798.82, 1798.150, 1798.84.
More Details
Definitions:
- Breach: Unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information.
- Personal Information (PI):
- An individual’s first name / first initial and last name in combination with one or more of the following data elements:
- Social Security number;
- Driver’s license number or California identification card number;
- Tax identification number, passport number, military identification number, or other unique, government-issued identification number used to verify identity;
- Financial account or payment card number plus a security code, access code, or password that would permit access thereto;
- Medical / health insurance information;
- Unique biometric data;
- Information collected through the use or operation of an automated license plate recognition system, as defined in Section 1798.90.5; or
- Genetic data.
- A username / email address in combination with a password or security question and answer that would permit access to an online account.
- An individual’s first name / first initial and last name in combination with one or more of the following data elements:
- Medical Information: Information regarding medical history, mental or physical condition, or medical treatment or diagnosis.
- Health Insurance Information: Health insurance policy number or subscriber identification number, unique identifier used by a health insurer to identify an individual, or information in an individual’s application and claims history.
Safe Harbors:
- Encryption: Notification is not required where the potentially impacted PI was encrypted, so long as the encryption key or security credential was not also acquired thereby rendering the PI readable / usable.
- Good Faith: Notification is not required where the potentially impacted PI was acquired in good faith by an employee or agent, for the purposes of the relevant person, business, or agency.
- Risk of Harm: N/A
- Law Enforcement Delay: Notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.
Direct Notice:
- Timing: Notification must be provided in the most expedient time possible and without unreasonable delay, consistent with measures necessary to determine the scope of the breach and restore the integrity of the system.
- Format: Notification letters must be titled “Notice of Data Breach,” written in plain language, and printed in no smaller than 10-point font. Notification letters must clearly and conspicuously include the following headings:
- “What Happened”
- “What Information Was Involved”
- “What We Are Doing”
- “What You Can Do”
- “For More Information
- Content: Notification letters must include, at a minimum, the following (if available):
- Name and contact information for the reporting entity;
- Types of PI that were, or are reasonably believed to have been, impacted;
- Estimated date / date range of the breach and date of notification;
- Whether notification was delayed for a law enforcement investigation;
- A general description of the breach incident;
- Toll-free telephone numbers and addresses of the major credit reporting agencies, if the breach exposed a Social Security number, driver’s license number, or California identification card number;
- Method: Notification letters must be provided in written form unless provided electronically if consistent with the provisions regarding electronic records and signatures in 15 U.S. Code § 7001.
Substitute Notice:
An entity may provide substitute notice if (1) the cost of direct notice would exceed $250,000, (2) the notification population exceeds 500,000, or (3) the entity does not have sufficient contact information. It must include: (1) email notice, where an email address is available; (2) conspicuous posting, for at least 30 days, on the entity’s webpage; and (3) notice to statewide media.
Remediation Services:
If the breach impacted Social Security numbers, driver’s license numbers, or California identification card numbers, the entity must offer to provide identity theft protection and mitigation services at no cost to the affected persons for at least 12 months.
Regulatory Notice:
Notification must be provided to the California Attorney General where “more than 500 California residents” are required to be notified.
Credit Reporting Agencies Notice:
N/A
Third-Party Notice:
A person, business, or agency that maintains computerized data including PI that the person, business, or agency does not own must notify the owner or licensee of the PI of a “breach” immediately following discovery.
HIPAA:
A “covered entity” for purposes of the Health Insurance Portability and Accountability Act (HIPAA) will be deemed to have complied with relevant notice content requirements if it has complied with Section 13402(f) of the Health Information Technology for Economic and Clinical Health Act.
Private Action:
A consumer whose PI is subject to “unauthorized access and exfiltration, theft, or disclosure” due to an entity’s failure to implement and maintain reasonable security practices and procedures may institute a civil action.
Associated Regulations:
- Information Security Standards (Cal. Civ. Code §§ 1798.81, 1798.81.5);
- Cal. Consumer Privacy Act (Cal. Civ. Code §§ 1798.100-1798.194)
Health and Safety Code
California - Health & Safety Code
Highlights
Covered Entities: A clinic, health facility, home health agency, or hospice licensed pursuant to Cal. Health & Safety Code Section 1204, 1250, 1725, or 1745.
Consumer Notification: A clinic, health facility, home health agency, or hospice shall report any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information to the affected patient or the patient’s representative no later than 15 business days after the unlawful or unauthorized access, use, or disclosure has been detected.
Regulatory Notification: Notification must be provided to the California Department of Public Health no later than 15 business days after the unlawful or unauthorized access, use, or disclosure has been detected.
Notification Timeline: Notification must be made no later than 15 business days after the unlawful or unauthorized access, use, or disclosure has been detected.
Data Format: Electronic or paper.
Citations: Cal. Health & Safety Code § 1280.15.
More Details
Definitions:
- Breach: Unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information.
- Personal Information (PI): N/A.
- Medical Information: Any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient's medical history, mental or physical condition, or treatment.
- "Individually identifiable" means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient's name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual's identity.
- Health Insurance Information: N/A.
Safe Harbors:
- Encryption: N/A.
- Good Faith: Internal paper records, electronic mail, or facsimile transmissions inadvertently misdirected within the same facility or health care system within the course of coordinating care or delivering services shall not constitute unauthorized access to, or use or disclosure of, a patient’s medical information.
- Risk of Harm: N/A.
- Law Enforcement Delay: Notification may be delayed if a law enforcement agency or official provides the clinic, health facility, home health agency, or hospice with a written or oral statement that compliance with the reporting requirements would likely impede the law enforcement agency’s investigation that relates to the unlawful or unauthorized access to, and use or disclosure of, a patient’s medical information and specifies a date upon which the delay shall end, not to exceed 60 days after a written request is made, or 30 days after an oral request is made.
Direct Notice:
- Timing: Notification must be made no later than 15 business days after the unlawful or unauthorized access, use, or disclosure has been detected.
- Format: N/A.
- Content: N/A.
- Method: To the affected patient or the patient’s representative at the last known address, or by an alternative means or at an alternative location as specified by the patient or the patient’s representative in writing pursuant to Section 164.522(b) of Title 45 of the Code of Federal Regulations. Notice may be provided by email only if the patient has previously agreed in writing to electronic notice by email.
Substitute Notice:
N/A
Remediation Services:
N/A
Regulatory Notice:
A clinic, health facility, home health agency, or hospice shall report any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information to the California Department of Public Health no later than 15 business days after the unlawful or unauthorized access, use, or disclosure has been detected by the clinic, health facility, home health agency, or hospice.
Credit Reporting Agencies Notice:
N/A
Third-Party Notice:
N/A
HIPAA:
N/A
Private Action:
N/A
Associated Regulations:
N/A
Comprehensive Data Privacy Law
California Consumer Privacy Act of 2018 (CCPA)
as amended by California Privacy Rights Act of 2020
Cal. Civ. Code 2018 TITLE 1.81.5. [1798.100 - 1798.199.100]
Highlights
Applicability:
A for profit entity that: (1) conducts business in California; (2) controls or processes personal information of consumers residing in California; and (3) satisfies one or more of the following thresholds:
- Has an annual gross revenue in excess of twenty-five million dollars ($25,000,000); or
- Alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more California consumers; or
- Derives fifty percent (50%) or more of its annual revenue from selling or sharing consumer’s personal information.
However, certain categories of information are excluded from the scope of the Act. Among other exclusions, the act excludes medical information and providers of health care governed by the California Confidentiality of Medical Information Act (as defined under that act), protected health information collected by a covered entity under the privacy, security and breach notification rules under HIPAA and HITECH, information collected as part of research study subject to the Federal Policy for the Protection of the Human subjects, information subject to the Fair Credit Reporting Act, the federal Gramm-Leach-Bliley Act, the Driver’s Privacy Protection Act, warranty and recall information subject to the Vehicle Code, certain education information subject to the Education Code. The act further excludes the providers of health care governed by the Confidentiality of Medical Information Act, and non-profits.
Business Obligations:
- Comply with the obligations of transparency with respect to its privacy practices informing the consumers at or before the collection of information of the categories of personal information collected, the purpose for the collection, and whether such information is sold or shared. Further, if collecting sensitive personal information, a Business must inform the consumer of the categories of sensitive personal information collected, purpose of collection and whether such information is sold or shared.
- Inform the consumer of the length of the time it intends to retain each category of information including sensitive personal information or the criteria used to determine such retention, and as such maintain internal policies or procedures to define such retention periods.
- Only collect personal information that is reasonably necessary and proportionate to achieve the purpose for which the information was collected.
- Execute contractual agreements with service providers and/or third parties that clearly outline the obligations of the third-party or service provider as required by law.
- Display the required information regarding its privacy practices prominently and conspicuously on its website by means of a website privacy policy and other disclosures including outlining the individual rights.
- Implement reasonable security procedures and practices commensurate with the nature of the personal information so as to protect the information from unauthorized or illegal access, destruction, use, modification or disclosure.
- Comply with individual data subject requests in a timely and efficient manner free of charge, within 45 days from the receipt of a request (which may be extended to an additional 45 days when reasonably necessary).
- Provide consumers with two or more means to exercise certain data subject rights, at minimum a toll-free number, unless the business operates exclusively online and has a direct relationship with the consumer, or if the business operates online enable consumers to submit requests through the website.
- If the Business sells/shares Personal Information and/or uses and discloses Sensitive Personal Information other than the permitted purposes, provide consumer with two or more designated methods for submitting requests to Opt-out of the Sale/Sharing of Personal Information and /or requests to Limit the Use and Disclosure of Sensitive Personal Information.
- Conduct annual cybersecurity audits when processing certain personal information presents a heightened risk.
- Perform an assessment of the businesses’ current data privacy notices, if they exist, and identify which type of personal information is being collected and determine how it is being collected and used.
Consumer Rights:
Businesses must respond without undue delay and within 45 days to verified consumer requests regarding the processing of PI and SPI, subject to certain exceptions, including data subjects’:
- Right to request deletion of Personal Information;
- Right to correct inaccurate Personal Information;
- Right to know and access Personal Information being collected;
- Right to obtain Personal Information in a format that is generally portable, readily usable, and transmittable;
- Right to know what Personal Information is sold or shared and to whom;
- Right to opt out of sales or sharing of Personal Information;
- Right to limit the use and disclosure of sensitive Personal Information;
- Right to non-discrimination and no retaliation as a result of their opt out or exercise of another right.
Security Breaches:
Businesses must take reasonable precautions to protect consumers Personal Information from security breaches and be accountable for any security breaches of consumer information they hold. A Business is required to notify consumers if their Personal Information has been subject to a security breach. A security breach that results in the compromise of consumer personal information may give right to a Private Right of action as further elaborated below.
More Details
Definitions:
- Business: A legal entity that is organized or operated for profit, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and satisfies the required thresholds.
- Consumer: A natural person who is a California resident and either acting in an individual or household context; as an employee, job applicant, or independent contractor; or employee of a company or entity acting in a business capacity.
- Cross Context Behavioral Advertising: The targeting of advertising to a consumer based on the consumers personal information obtained from their activity across businesses, websites, and services with which the consumer interacts.
- Personal Information: Information that identifies, relates to, describes or is capable of being associated with or could be linked to or reasonably linkable to an identified or identifiable individual or household. Personal Information excludes: de-identified information aggregate information, and publicly available information (defined as information lawfully made available from federal, state, or local government records, and information that a Business has a reasonable basis to believe the consumer has lawfully made available to the general public, but does not mean biometric information collected about the consumer without their knowledge).
- Sale of Personal Information: The exchange of Personal Information for monetary or other valuable consideration by the Business to a third party. For example, both the trade of personal information for analytics and the trade of personal information for an advertising option constitute sales. The sale excludes the following disclosures from this definition: (i) disclosures to a third party to upon consumers direction to disclose the personal information or interaction with the third party (ii) when business shares an identifier for a consumer for purpose of alerting them that the consumer has opted out of the sale or sharing of personal information or limited the use and disclosure of sensitive personal information; (iii) a disclosure or transfer as an asset in a merger or other transaction in which the third party assumes control of all or part of the Controller’s assets; and (iv); disclosures made by a Consumer to the general public via mass media.
- Sensitive Personal Information: Personal Information revealing: social security, driver’s license, state identification card or passport number; account log-in, financial account, credit or debit card in combination with access code; precise geolocation; racial or ethnic origin, religious or philosophical beliefs, or union membership; content of email or text messages; genetic data; biometric data; information concerning health; and sex life or sexual orientation.
- Sharing Personal Information: Making available orally, in writing or by other means a consumer’s Personal Information to a third party for cross context behavioral advertising, whether or not for monetary or another valuable consideration.
Penalties:
Violations of the CCPA constitute an unfair trade practice and may be enforced by the California Attorney General or California Privacy Protection Agency. The maximum civil penalty for violations is $2,500 per violation or $7,500 for intentional violations involving personal information of consumers under 16 years of age.
Private Action:
Yes, an individual may institute a civil action if: (a) if their nonencrypted and nonredacted personal information as defined in Section 1798.81.5 is subject to an unauthorized access and exfiltration, theft or disclosure, and (b) this unauthorized access or disclosure is a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.
Associated Regulations:
- California Consumer Privacy Act Regulations, 11 CCR §§ 7000 et seq.
Effective Date:
January 1, 2023
Enforcement Date:
July 1, 2023
Insurance Data Security Statute
Highlights
Covered Entities: Any insurance institution, agent, or insurance-support organization that:
- In the case of life or disability insurance (1) collects, receives, or maintains information in connection with insurance transactions which pertain to California residents or (2) engages in insurance transactions with applicants, individuals, or policyholders who are California residents.
- In the case of property or casualty insurance (1) collects, receives, or maintains information in connection with insurance transactions involving policies, contracts, or certificates of insurance delivered, issued for delivery, or renewed in California (2) engages in insurance transactions involving policies, contracts, or certificates of insurance delivered, issued for delivery, or renewed in California.
This Act does not apply to title insurance or certain home protection companies.
Security Standard: N/A
Consumer Notification: Any insurer, insurance producer, or insurance support organization must comply with the California Data Breach Notification Statute (Cal. CCode § 1798.82), as applicable.
Regulatory Notification: Any insurer, insurance producer, or insurance support organization must provide the Insurance Commissioner with any notices or information submitted to the Attorney General’s Office in accordance with Civil Code § 1798.82(f), as well as sample copies, excluding personal information, of any security breach notices provided to consumers. Copies of notices or information should be sent to the following email: DataBreach@insurance.ca.gov
Notification Timeline: With respect to consumers, notification must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. Civil Code § 1798.82(a).
There is no timeline for notification to the Insurance Commissioner.
Citations: Cal Ins. Code § 791 et seq.
More Details
Definitions:
- Agent: Any person licensed pursuant to Chapter 5 (commencing with Section 1621), Chapter 5A (commencing with Section 1759), Chapter 6 (commencing with Section 1760), Chapter 7 (commencing with Section 1800), or Chapter 8 (commencing with Section 1831).
- Insurance Institution: Any corporation, association, partnership, reciprocal exchange, interinsurer, Lloyd’s insurer, fraternal benefit society, or other person engaged in the business of insurance. “Insurance institution” shall not include agents, insurance-support organizations, or health care service plans regulated pursuant to the Knox-Keene Health Care Service Plan Act.
- Insurance-Support Organization: Any person who regularly engages, in whole or in part, in the business of assembling or collecting information about natural persons for the primary purpose of providing the information to an insurance institution or agent for insurance transactions, including either of the following:
- The furnishing of consumer reports or investigative consumer reports to an insurance institution or agent for use in connection with an insurance transaction.
- The collection of personal information from insurance institutions, agents, or other insurance-support organizations for the purpose of detecting or preventing fraud, material misrepresentation, or material nondisclosure in connection with insurance underwriting or insurance claim activity.
- Insurance Transaction: Any transaction involving insurance primarily for personal, family, or household needs rather than business or professional needs that entails either of the following:
- The determination of an individual’s eligibility for an insurance coverage, benefit, or payment.
- The servicing of an insurance application, policy, contract, or certificate.
Regulatory Notice:
Any insurer, insurance producer, or insurance support organization must provide the Insurance Commissioner with any notices or information submitted to the Attorney General’s Office in accordance with Civil Code § 1798.82(f), as well as sample copies, excluding personal information, of any security breach notices provided to consumers.
Copies of notices or information should be sent to the following email:
DataBreach@insurance.ca.gov
Content Requirements:
When notifying the Insurance Commissioner, any insurer, insurance producer, or insurance support organization must provide all notices or information submitted to the Attorney General’s Office, as well as sample copies, excluding personal information, of any security breach notices provided to consumers.
Penalties:
If the Insurance Commissioner determines that an insurer has violated this section, the commissioner may, after appropriate notice and opportunity for hearing in accordance with the Administrative Procedure Act (Chapter 5 (commencing with Section 11500) of Part 1 of Division 3 of Title 2 of the Government Code), by order, assess a civil penalty not to exceed five thousand dollars ($5,000) for each violation, or, if a violation was willful, a civil penalty not to exceed ten thousand dollars ($10,000) for each violation. The commissioner shall have the discretion to determine the acts or omissions that constitute a violation of this section.
Associated Regulations:
- Civil Code § 1798.82
Information Security Standard
Highlights
Covered Entities: Any business (including a sole proprietorship, partnership, corporation, association, or other group), whether or not organized to operate at a profit, that owns, licenses, or maintains personal information about a California resident.
First Party Security Standard: A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
Third Party Security Standard: A business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party that is not subject to the requirements above shall require by contract that the third party implement and maintain reasonable security procedures and practices to protect the personal information.
Disposal/Destruction Standard: A business shall take reasonable steps to dispose, or arrange for the disposal, of customer records containing personal information when they are no longer to be retained by the business by (a) shredding, (b) erasing, or (c) otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means.
Data Format: Electronic and physical.
Citations: Cal. Civ. Code §§ 1798.80, 1798.81, 1798.81.5
More Details
Definitions:
Personal Information (PI): An individual’s first name / first initial and last name in combination with one or more of the following data elements:
- Social Security number;
- Driver’s license number or California identification card number;
- Tax identification number, passport number, military identification number, or other unique government-issued identification number used to verify identity;
- Financial account or payment card number plus any required security code, access code, or password that would permit access to an individual’s financial account;
- Medical information;
- Health insurance information;
- Unique biometric data; or
- Genetic data.
A username or email address in combination with a password or security question and answer that would permit access to an online account.
PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Methods of Compliance:
The statute does not define what constitutes reasonable security procedures and practices.
Exclusions:
- Health Care: These requirements do not apply to providers of health care, health care service plans, or contractors regulated by the Confidentiality of Medical Information Act. These requirements similarly do not apply to HIPAA covered entities.
- Financial: These requirements do not apply to financial institutions as defined in Section 4052 of the Financial Code and subject to the California Financial Information Privacy Act.
- Other: These requirements do not apply to a business regulated by state or federal law providing greater protection to personal information.
Enforcement/Penalties:
A California resident may bring a civil action for a violation of these requirements. A resident injured by a violation may recover damages.
Associated Regulations:
N/A