Browse data breach notification laws in the United States by states or territories. This database currently includes breach statutes for a business that collects personal information. This database is for informational purposes only and may not be up-to-date. Please review our Terms of Service. Report any errors or issues to: webmaster@amp.legal.
Last Updated | California breach law summary was last updated on 06/26/2017 |
Statute | Cal. Civ. Code §§ 1798.82 et seq. [View Source] [Download PDF] |
Covered Entities | "Business" means a sole proprietorship, partnership, corporation, association, or other group, however organized and whether or not organized to operate at a profit, including a financial institution, and an entity that disposes of records. |
Covered Information | "Personal Information" includes EITHER:
First Name (or First Initial) and Last Name PLUS one of the following:
|
Form of Information | Electronic |
Breach Trigger | A person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California (1) whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or, (2) whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the person or business that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or useable. |
Encryption Safe Harbor | No. A person or business shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California (1) whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or, (2) whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the person or business that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or useable. |
Risk of Harm Analysis | None. |
Consumer Notice | A person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California |
Government Agency Notice | Yes. More than 500 residents. A person or business that is required to issue a security breach notification pursuant to this section to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. A single sample copy of a security breach notification shall not be deemed to be within subdivision (f) of Section 6254 of the Government Code. |
Credit Agency Notice | The security breach notification shall include, at a minimum: The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a social security number or a driver's license or California identification card number. |
Penalties | None. Allows a private cause of action. |
Private Cause of Action | Yes. 1798.84(b) Any customer injured by a violation of this title may institute a civil action to recover damages. |