Mandated Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Third Party: Specific Obligations
  • Third Party: Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach and notification laws up to $3,000 per violation

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Third Party Management
  • Data Protection
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • There are detailed considerations when determining if a breach is reportable.
  • There are specific requirements that must be detailed in the security breach notification.
  • If the breach affects more than 500 California residents as a result of a single breach, reporting must be submitted electronically to the Attorney General.
  • The California Department of Health Services must be notified of a medical breach no later than 15 days after discovery of a breach.
  • The business or person providing notifications must offer identity theft prevention and mitigation services to each affected person at no cost for at least 12 months.
  • California law grants customers injured by violation of the law the right to institute a civil action. The business may be enjoined.
  • For violations involving patient medical information, the Department of Public Health may assess administrative penalties of $100 per day, to a maximum of $250,000.
  • The instructions vary for different types of breaches, such as online accounts or login credentials or email accounts.
  • A business that owns, licenses, or maintains personal information about a California resident must implement and maintain reasonable security procedures and practices to protect the personal information.
  • A business that discloses personal information about a California resident pursuant to a contract with a vendor must require by contract that the vendor implement and maintain reasonable security procedures and practices to protect the personal information.
  • If a vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notifications.
  • If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
  • Cal. Civ. Code § 1798.82 Customer RecordsDisclose a breach of the security of the system
  • Cal. Civ. Code § 1798.81 Customer RecordsDisposal
  • Cal. Civ. Code § 1798.81.5 Customer RecordsPersonal information about California residents protected
  • Cal. Civ. Code § 1798.83 Customer RecordsDisclosure of personal information to third parties
  • Cal. Civ. Code § 1798.84 Customer RecordsEnforcement and penalties
  • Cal. Health & Safety Code § 1280.15
  • California has issued a handbook for state record retention.  It can be found at: http://www.documents.dgs.ca.gov/osp/calrim/RecordsRetentionHandbook.pdf
  • The California Consumer Privacy Act of 2018 has passed and will become effective January 1, 2020.
BAck to map