California Database Security Breach Notification Act (2003)

---

Database Security Breach Notification Act went into effect in July, 2003.

• updated several times
• created after a security breach at a state-operated data facility
• purpose was to give California residents timely info so they can protect themselves

Applies To

• Law applies to anyone to who owns or uses computerized data that contains unencrypted personal information of a California resident:
  • State agencies
  • Nonprofits
  • private organizations
  • businesses
  • applies to any entity that stores personal info of Cal resident, even if not located in Cal

Requirements

• Requires entity to:
  • notify California residents of a breach of its computer systems and give notice if unauthorized individuals access and take their unencrypted data
    • written notice
    • use plain language
    • clearly identify the entity making the notice
    • required contents:
      • What Happened
      • What Information Was Involved
      • What We Are Doing
      • What You Can Do
      • For More Information
    • Can use a different notice if:
      • cost of giving written notice is greater than $250,000
      • number of people to be notified is greater than $500,000
      • does not have sufficient contact information
    • substitute notice must:
      • Notify affected people by email if the entity has an email address for the person
      • Post notice of the security breach on its website for 30 days
      • Notify major statewide media outlets about the breach
  • must notify residents as quickly as possible
  • 2 reasons to delay notification
    • figure out the scope of the security breach
    • if law enforcement requires it

Personal Information Defined

• defines personal information broadly
  • personal information is a person’s first name and last name combined with any of the following:
    • SSN
    • Driver’s license number or California Identification Card number
    • Account number, or credit or debit card number, along with any security code, access code, or password that would allow access to a person’s account
    • Medical information
    • Health insurance information
    • Unique biometric information
    • Information collected through the state’s automated license plate recognition system
  • must be unencrypted data
  • information available through public government records is not personal information
  • includes a username or email address combined with a password or security question that can be used to access an online account

Penalty

• law provides a safe harbor for entities that encrypt personal information
• law gives California residents a limited private cause of action against entities that do not follow the law
  • enables California residents to sue entities for damage