What are the data breach notification laws in California?

A data breach is the unauthorized release or access of someone's personally identifiable information, which is any data that could reveal an individual's identity.

Data breaches can happen if an employee clicks on a link in a phishing email, if a laptop or thumb drive is stolen, or if hackers break into a computer network. Accidental security breaches are another cause, such as misconfigured software that leaves data unprotected.

Recently, hackers exploited a software vulnerability at the University of California, Los Angeles (UCLA) and accessed the names and Social Security numbers of students and faculty members. The university had to notify all affected persons and the Attorney General about the data breach.

Every small business that handles credit cards or stores customer information is vulnerable. IT consultants, healthcare providers, and financial institutions are among the industries with the highest risk.

Many people correctly assume that PII includes medical information identified in the Health Insurance Portability and Accountability Act (HIPAA), although PII includes this and much more:

• Names, email addresses, phone numbers, and Social Security numbers
• Driver's license numbers and state-issued identification card numbers
• Passport numbers and military identification numbers
• Financial data, such as credit or debit card numbers and bank account numbers
• Health information, such as medical treatments and conditions
• Health insurance information, such as policy numbers and claims history

Any business that handles PII should invest in cyber liability insurance to mitigate costs in the event of a data breach.

California’s notification laws require business owners to report data breaches that reveal a California resident's personal information "in the most expedient time possible and without unreasonable delay."

A company can take certain circumstances into account, such as the time it takes to determine the scope of a breach and the information that was compromised. Notification can also be delayed if a law enforcement agency indicates that a prompt notification would impede a criminal investigation. The delay can be for up to 60 days if the request is in writing, or 30 days if requested orally.

If unencrypted information is involved, state law requires a business to notify those affected if it reasonably believes the data was accessed or taken by an unauthorized person.

For encrypted information, a business must notify those affected if it believes the encryption key or required security code was compromised, and if the business believes PII could be accessed by an unauthorized person.

Businesses that maintain personal data for another company, such as through IT services or cloud computing, must notify the business or entity that owns the information, if the business believes someone gained unauthorized access to PII.

California’s data breach notification laws require any business or state agency that experiences a breach of PII to provide written notice to those affected.

Notifications must be sent to the affected person's last known address, or to their representative. An electronic notice is acceptable, but only if those affected have previously agreed in writing to receive electronic communications.

If the business has a website, the email must also contain a link to a “conspicuous posting” on the company’s home page that stays online for at least 30 days. The link must stand out from the rest of the email by using larger text, a contrasting color or font, symbols, or some other means of calling attention to the link.

Keep in mind that posting this information on your website is not considered a substitute notice of a breach, you still must notify affected individuals about the scope of the breach.

If the PII of more than 500 California residents is involved in a single breach, a business must notify the California attorney general and provide a sample copy of the data involved. For healthcare facilities, the California Department of Public Health must be notified no more than 15 days after a data breach or unlawful access is discovered.

It’s also a good idea to document your notification efforts with individuals and the state, in case of a lawsuit or fines over the question of your compliance with the law.

The notification must be written in plain language with the title, "Notice of Data Breach" and specific sections as outlined in the law.

It must include the following data, if available at that time:

• The name and contact information of the individual or business making the disclosure
• A description of the incident
• The types of PII believed to have been compromised
• The date(s) when the breach occurred
• Any delays in notification due to investigation by law enforcement

If the compromised PII includes a Social Security number, driver’s license number, or California ID number, the notification must also include the toll-free numbers and addresses for the nation’s credit reporting agencies.

If your business is responsible for the breach, you must also provide at least 12 months of identity theft prevention and mitigation services to those affected. Your notification must include this offer and provide instructions on how to access these services.

You might also include all available information on what the company is doing to prevent additional breaches and advice on what affected individuals should do after a breach, although this is optional under the law.

The cost of a data breach can be significant, which is why cyber insurance is so important for businesses that handle personal data.

Notifying those affected and paying for credit monitoring can be expensive. You’ll have to investigate and fix your security weaknesses while suffering a possible loss of income, and government fines can also be costly. You might even face a ransomware attack, where hackers shut down your computer systems and demand payment.

System downtime can be both expensive and dangerous. Recently, researchers recommended that cyberattacks on hospitals be considered a regional disaster after a ransomware attack on a hospital system in San Diego resulted in delayed care and negative outcomes for patients.

Small businesses most often need first-party cyber liability insurance to mitigate costs. Also called data breach insurance, this policy provides financial protection against data breaches at your business. You can often add this coverage to your general liability insurance or business owner’s policy (BOP), which combines general liability coverage with commercial property insurance at a discount.

If you're responsible for another company's data security, then you may need third-party cyber liability insurance. This policy covers legal expenses when a client blames your business for failing to prevent a data breach at their company.

Because most tech businesses need this coverage, it's usually included with their errors and omissions insurance (E&O) in a bundle called tech E&O.

E&O insurance, also called professional liability insurance, covers your legal costs if a client sues you for making a mistake or failing to deliver on a contract. Tech E&O extends that coverage to include lawsuits related to data breaches and cyberattacks.

While any business could be at risk of a lawsuit after a data breach, this coverage is especially important for information technology businesses, especially IT consultants, network security companies, and cybersecurity businesses that recommend software or are responsible for information security.

In California, businesses that fail to report a data breach may have to pay damages and penalties to the affected customers. The penalty is up to $500 for each unintentional violation and up to $3,000 for intentional violations.

Additionally, businesses that don't comply with the California Consumer Privacy Act (CCPA) can face penalties of up to $2,500 for unintentional violations and up to $7,500 for intentional violations. California residents can also sue businesses for data breaches under the CCPA if certain conditions are met.

The CCPA applies to for-profit businesses that have one or more of the following: an annual revenue of $25 million or more; the personal data of more than 50,000 customers; or more than half of annual revenue derived from the sale of California consumers' personal information.

The California Department of Public Health may impose a penalty of up to $25,000 per patient if their medical information was unlawfully accessed or disclosed without their authorization. It can impose fines of up to $17,500 for each additional infraction.

If the affected business is a clinic, hospice, or a similar health facility, and it fails to notify either the patient or the Department of Public Health within 15 days of a breach being detected, the department could impose a penalty of up to $100 per day up to a maximum penalty of $250,000 for an unreasonable delay in notification.

The state might assume a business failed to notify the affected patients if the business fails to document its notification efforts.

When your business stores data, it's crucial to make sure you take measures to prevent data breaches. In fact, California law specifies that businesses "implement and maintain reasonable security procedures and practices" to protect personal information that belongs to residents.

It’s a good idea to conduct a security audit of the types of personal information, unique identifiers, and other data elements you might have in your data systems.

Requiring strong passwords, security questions, two-step authentication, and access codes can provide reasonable protection for your business and any service providers who access this information, thereby reducing the chance of an unauthorized acquisition of data.

Complete Insureon’s easy online application today to compare insurance quotes from top-rated insurance carriers for cyber policies. Our licensed agents will help you find coverage that fulfills California's insurance requirements and protects your business. Once you find the right policy for your small business, you can begin coverage in less than 24 hours.