(Jason Doiy / The Recorder)
Editor’s note: Lothar Determann is the author of “California Privacy Law: Practical Guide and Commentary,” published by The Recorder and Law Journal Press. The book is a comprehensive guide for companies and their attorneys on risk prevention, response, litigation and proper navigation of federal and state privacy laws.
In 2002, California was the first worldwide to pass a law requiring businesses and agencies to notify data subjects of data security breaches. Since then, the state has regularly updated its data security breach notification law, including in 2015, as summarized in the last installment of this series. This article examines a few key requirements of California data security breach notification laws that have not changed as of Jan. 1, 2016:
Definition of a Breach
Under the California data breach notification law, “breach of the security of the system” means any “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.” Sometimes companies are confronted with a situation where they identify a security weakness, but do not know whether the weakness was actually exploited. If unauthorized access took place, they have to notify; if not, they do not. Companies are not required to notify in cases of mere suspicion or even in cases of reasonable belief that unauthorized access has occurred. If a breach has occurred, companies must notify every “resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person” (emphasis added). But the duty to notify individuals who are believed to have been affected applies only if unauthorized access actually took place, not if unauthorized access is merely believed to have taken place.
In uncertain situations where it is not clear whether unauthorized access took place, companies must make a judgment call. If, out of an abundance of caution, they notify in situations where a breach did not actually occur, they may unnecessarily incur costs and reputational damage, cause data subjects to incur unnecessary anxiety and costs, and cause credit card companies, credit bureaus and others to incur costs associated with requests for credit reporting freezes or issuance of new cards and other protection measures. On the other hand, if companies decide not to issue notifications in uncertain situations, they may incur even greater costs and reputational damage if it later turns out that a breach actually did occur and data subjects or others bring claims against the company challenging the original decision and demanding compensation for damages that could have been prevented by risk mitigation measures had the company issued breach notifications earlier.
Good Faith Access by Unauthorized Employees
Good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure. Also, companies have some leeway in determining which employees are authorized to access certain data and can clarify the situation by issuing written instructions after the fact, for example, by confirming to an employee that she was authorized to access the data in the past but shall no longer be authorized to access the data going forward.
Account Credentials Compromise
If a breach involves only user names and email addresses, in combination with passwords or security questions and answers that would permit access to online accounts, companies and government agencies should take all steps necessary to ensure that passwords are reset. In such an event, companies and agencies may not have to notify the affected data subjects about all details of the breach if no other data categories are affected and if they direct the data subjects to change passwords and security questions/answers and take other steps appropriate to protect the affected online account and other online accounts for which the same credentials are used; if they notify the affected data subjects by email, they must not send the notice to the compromised email account.
Companies and government agencies must issue data security breach notifications “immediately following discovery,” but may delay notification if “a law enforcement agency determines that the notification will impede a criminal investigation,” so long as the notification is “made promptly after the law enforcement agency determines that it will not compromise the investigation.” For risk mitigation purposes, companies should try to obtain written guidance from law enforcement agencies about delaying notification, which law enforcement agencies tend to be reluctant to provide in practice, unfortunately. If a company unreasonably delays notice, it can be held liable under the California breach notification statute based on a general negligence theory. But, unlike other states’ statutes, the California data breach notification statute does not specify a concrete deadline or safe harbor that companies can rely on for their decision about when to notify.
In 2014, Kaiser Foundation Health Plan Inc. agreed to pay $150,000 to settle a lawsuit filed by California Attorney General Kamala Harris over a three-month delay in telling employees that a hard drive containing more than 20,000 workers’ personal information was sold in a thrift store. Also in 2014, a California court dismissed class action claims against Sony relating to a data security breach of the Sony PlayStation Network for failure to state a claim, because plaintiffs had not substantiated an injury caused by the fact that Sony took 10 days to notify after Sony became aware of the breach (See In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942, 965, 1009-10 (S.D. Cal. 2014).
The agency, person or company that owns the data (i.e., the data controller) must issue the notification to the affected data subjects. Data processors must notify the data controller of any breaches they discover.
Identity Theft Protection
If the company providing the notice was the source of the breach and chooses to offer appropriate identity-theft prevention and mitigation services, it must offer them at no cost for at least 12 months.
As a matter of public policy, California Civil Code Section 1798.84 expressly prohibits waivers regarding California’s data security breach notification laws. Therefore, companies cannot limit their liability or disclaim responsibility to issue breaches by way of contract.
Proactively, companies can take steps to reduce the risks of data security breaches occurring and prepare themselves with policies on how to respond to incidents. The California breach notification laws do not expressly require such steps, but companies can avoid having to comply with breach notification laws by encrypting data, minimizing data collection, training employees, contractually obligating vendors to strict data security practices and by taking other steps.
In Practice articles inform readers on developments in substantive law, practice issues or law firm management. Contact Laurel Newby with submissions or questions at