CHAPTER 8: BREACH NOTIFICATIONS

California already has rules governing data breaches and breach notification in sections 80–84 of the California Civil Code,¹⁸² which deal with the maintenance of “customer records.”

Section 82(a) deals with data breach notifications for a business, and it covers several areas. First, there are requirements that apply to an organization that “owns or licenses computerized data that includes personal information.” Any “person or business that conducts business in California” that owns or licenses such information is required to disclose a data security breach to California residents. Here, a “breach” is defined as the unauthorized acquisition of unencrypted personal information. A breach may also include the loss of encrypted information, if the respective encryption key or other security credential was also lost. The important point is whether the organization has “a reasonable belief that the encryption key or security credential could render that (encrypted) personal information readable or useable.” Ultimately, the issue is whether the organization lost readily readable or useable information.

If an organization that owns or licenses personal information suffers a breach, it is required to disclose it following either discovery or notification of the breach. Disclosures are to be made to California residents “in the most expedient time possible and without unreasonable delay.” What that time frame will actually look like in practice will likely be dictated by evolving case law, because what constitutes an “unreasonable delay” may be different depending on the circumstances of the case concerned. The law does point out that expediency may be dictated by “any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.” As a result, any forensic analysis, technical investigations, or remediation and clean-up activities may provide a justifiable, “reasonable” delay. However, that does not permit organizations to use these activities as excuses to avoid the inevitable. California residents need to be notified, and in deference to their privacy rights (as the organization lost their data), disclosure should be made as soon as realistically possible.

In practice, this means organizations need to develop an incident response management process that facilitates quick and efficient investigation of issues. Should a security event occur, the organization should be poised to not only respond to the incident itself but also to analyze the privacy impact and, in turn, notify affected consumers. This requires a great deal of coordination among IT or information security functions, the general counsel or legal department, and any marketing or public relations personnel who can help craft the actual disclosure message. Technical employees are required to understand, investigate, and eliminate the breach (while also learning from the issue in order to avoid similar issues in the future); legal is necessary to determine the threshold analysis required for disclosure, and to prepare the organization for any potential litigation or liability; and marketing/PR is needed to help with outreach to customers, business partners, investors, and potentially media outlets, who all may be interested in what is going on.

Ideally, all personnel at an organization should have a general understanding of information security issues and the symptoms of a possible attack or event. This is why awareness training is critical for all staff – everyone in the organization plays a role in managing information security. Of course, certain personnel play much larger roles (e.g. IT/IS). Not all employees need to understand the incident response management process. For example, it is likely unnecessary for front-end sales staff to understand the internal investigation and escalation processes related to information security incidents. Most personnel just need to understand who to contact if they think there is an issue. Dedicated support staff can take it from there, engaging in the necessary investigation and analysis to determine whether the issue rises to the level of an information security event or full-blown data breach. Those staff can contact relevant parties (e.g. legal, PR, senior management, etc.) as necessary.

Slightly different rules apply to organizations that maintain personal information that the business does not own. Those organizations are required to notify the owner or licensee of such information “immediately following discovery.”¹⁸³ There are no carve-outs for measures to restore the integrity of the system, or questions of what constitutes reasonable vs. unreasonable delay. The notification must be made immediately, as soon as the breach is discovered. This will require close coordination between relevant teams or personnel that manage the incident response process.

The statute goes on to provide detail related to the actual form and substance of the notification itself. Subparagraph (d) of section 82 outlines certain requirements. The notification must be “written in plain language, […] titled ‘Notice of Data Breach.’” It must also include certain details related to the breach, formatted in certain ways.

At a minimum, the following detail must be included in the breach notification¹⁸⁴:

This detail must be presented under the following headings¹⁸⁵:

There are even formatting requirements. Titles and headings “shall be clearly and conspicuously displayed,” the notice must be designed “to call attention to the nature and significance of the information it contains,” and the text can be no smaller than ten-point font.¹⁸⁶

All of the above apply to written notices, but written notices are not the only method available to organizations. Should an organization choose to use a written notice, the statute helpfully provides a model security breach notification form – see Table 2.

Table 2: Model Security Breach Notification Form

Other methods of notice are available. If the organization can demonstrate that the cost of providing individual notices would exceed $250,000, the number of affected people exceeds 500,000, or sufficient contact information is not available, the organization can rely on “substitute notice.”¹⁸⁷ Substitute notice requires all of the following¹⁸⁸:

In the event of a security breach involving only login credentials (i.e. a username or email address, in combination with a password or security question and answer that would permit access to an online account), the organization may provide notice by directing affected individuals to promptly change their password and related security questions or answers, or to take other appropriate steps to protect any online accounts that use the same login credentials.¹⁸⁹ It should be noted that if the breach involves login credentials for an email account provided by the organization, sending a notification to that affected email address does not constitute notice.¹⁹⁰ In such cases, the organization should rely on one of the other notice methods mentioned above (e.g. conspicuous posting on the organization’s website).

It is important to note that penalties for violations of those sections of the California Civil Code dealing with the maintenance of “customer records” are separate from the penalties outlined in the CPRA.¹⁹¹ Any customer may initiate civil action to recover damages caused by violation of this statute.¹⁹² Additional penalties apply to organizations that violate section 1798.83 of the statute, which deals with organizations that share personal information with third parties, knowing those third parties intend to use the information for direct marketing purposes. This is explained in chapter 9.

¹⁸² Cal. Civ. Code § 1798.82.

¹⁸³ Cal. Civ. Code § 1798.82(b).

¹⁸⁴ Cal. Civ. Code § 1798.82(d)(2)(A)–(G).

¹⁸⁵ Cal. Civ. Code § 1798.82(d)(1).

¹⁸⁶ Cal. Civ. Code § 1798.82(d)(1)(A)–(C).

¹⁸⁷ Cal. Civ. Code § 1798.82(j)(3).

¹⁸⁸ Cal. Civ. Code § 1798.82(j)(3)(A)–(C).

¹⁸⁹ Cal. Civ. Code § 1798.82(j)(4).

¹⁹⁰ Cal. Civ. Code § 1798.82(j)(5).

¹⁹¹ Cal. Civ. Code § 1798.84.

¹⁹² Cal. Civ. Code § 1798.84(b).