California recently passed several amendments to the state’s data breach notification laws to expand the kind of information that must be included in data breach notices under Cal. Civil Code section 1798.29 and 1798.82. The amendments apply to private and public sector persons and organizations doing business in the state that suffer data breaches.
California was the first state to mandate that businesses that experience a data breach must inform all persons whose personal information was involved in the breach. Almost every other state has enacted a version of a data breach notification law. The amendments have updated California’s law to expand the content of breach notifications. Specifically, parties covered by the breach notice law must now include the following in their breach notifications:
- The name and contact information of the reporting person or business;
- A list of the types of personal information that were or are reasonably believed to have been the subject of a breach;
- If the information is possible to determine at the time the notice is provided, information about the date of the breach and notification;
- Whether notification was delayed as a result of a law enforcement investigation, if that information is possible to determine at the time the notice is provided;
- A general description of the breach incident, if that information is possible to determine at the time the notice is provided; and
- The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a social security number or a driver’s license or California identification card number.
The amendments also require the notice-providing party to inform the California Attorney General’s office when more than 500 California residents are notified pursuant to the statute. The amendments did not change the penalties for non-compliance, which expressly include a private right of action for damages.