Mandated Timeframe for Breach Reporting and/or Consumer Notification
Without unreasonable delay
Laws related specifically to personal information
Breach Reporting & Consumer Notification
Protect Personal Information
Program for Protection/Security
Third Party: Specific Obligations
Third Party: Mandated Contracts
Requests for Information
Fines & Penalties
Violations of breach and notification laws:
- up to $3,000 per violation
Third Party Management
None to minimal
There are detailed considerations when determining if a breach is reportable.
There are specific requirements that must be detailed in the security breach notification.
If the breach affects more than 500 California residents as a result of a single breach, reporting must be submitted electronically to the Attorney General.
The California Department of Health Services must be notified of a medical breach no later than 15 days after discovery of a breach.
The business or person providing notifications must offer identity theft prevention and mitigation services to each affected person at no cost for at least 12 months.
California law grants customers injured by violation of the law the right to institute a civil action. The business may be enjoined. These penalties apply for violation of data protection and data disposal laws too.
For violations involving patient medical information, the Department of Public Health may assess administrative penalties of $100 per day, to a maximum of $250,000.
The instructions vary for different types of breaches, such as online accounts or login credentials or email accounts.
A business that owns, licenses, or maintains personal information about a California resident must implement and maintain reasonable security procedures and practices to protect the personal information.
A business that discloses personal information about a California resident pursuant to a contract with a vendor must require by contract that the vendor implement and maintain reasonable security procedures and practices to protect the personal information.
If a vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notifications.
If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
Cal. Civ. Code § 1798.82, Disclose a breach of the security of the system
Cal. Civ. Code § 1798.81, Disposal
Cal. Civ. Code § 1798.81.5, Personal information about California residents protected
Cal. Civ. Code § 1798.83, Disclosure of personal information to third parties
Cal. Civ. Code § 1798.84, Enforcement and penalties