Senate BillNo. 34

3

1798.29.  

(a) Any agency that owns or licenses computerized
4data that includes personal information shall disclose any breach
5of the security of the system following discovery or notification
6of the breach in the security of the data to any resident of California
7whose unencrypted personal information was, or is reasonably
8believed to have been, acquired by an unauthorized person. The
9disclosure shall be made in the most expedient time possible and
10without unreasonable delay, consistent with the legitimate needs
11of law enforcement, as provided in subdivision (c), or any measures
12necessary to determine the scope of the breach and restore the
13reasonable integrity of the data system.

14(b) Any agency that maintains computerized data that includes
15personal information that the agency does not own shall notify the
16owner or licensee of the information of any breach of the security
17of the data immediately following discovery, if the personal
18information was, or is reasonably believed to have been, acquired
19by an unauthorized person.

20(c) The notification required by this section may be delayed if
21a law enforcement agency determines that the notification will
22impede a criminal investigation. The notification required by this
23section shall be made after the law enforcement agency determines
24that it will not compromise the investigation.

25(d) Any agency that is required to issue a security breach
26notification pursuant to this section shall meet all of the following
27requirements:

P4    1(1) The security breach notification shall be written in plain
2language.

3(2) The security breach notification shall include, at a minimum,
4the following information:

5(A) The name and contact information of the reporting agency
6subject to this section.

7(B) A list of the types of personal information that were or are
8reasonably believed to have been the subject of a breach.

9(C) If the information is possible to determine at the time the
10notice is provided, then any of the following: (i) the date of the
11breach, (ii) the estimated date of the breach, or (iii) the date range
12within which the breach occurred. The notification shall also
13include the date of the notice.

14(D) Whether the notification was delayed as a result of a law
15enforcement investigation, if that information is possible to
16determine at the time the notice is provided.

17(E) A general description of the breach incident, if that
18information is possible to determine at the time the notice is
19provided.

20(F) The toll-free telephone numbers and addresses of the major
21credit reporting agencies, if the breach exposed a social security
22number or a driver’s license or California identification card
23number.

24(3) At the discretion of the agency, the security breach
25notification may also include any of the following:

26(A) Information about what the agency has done to protect
27individuals whose information has been breached.

28(B) Advice on steps that the person whose information has been
29breached may take to protect himself or herself.

30(4) In the case of a breach of the security of the system involving
31personal information defined in paragraph (2) of subdivision (g)
32for an online account, and no other personal information defined
33in paragraph (1) of subdivision (g), the agency may comply with
34this section by providing the security breach notification in
35electronic or other form that directs the person whose personal
36information has been breached to promptly change his or her
37password and security question or answer, as applicable, or to take
38other steps appropriate to protect the online account with the
39agency and all other online accounts for which the person uses the
P5    1same user name or email address and password or security question
2or answer.

3(5) In the case of a breach of the security of the system involving
4personal information defined in paragraph (2) of subdivision (g)
5 for login credentials of an email account furnished by the agency,
6the agency shall not comply with this section by providing the
7security breach notification to that email address, but may, instead,
8comply with this section by providing notice by another method
9described in subdivision (i) or by clear and conspicuous notice
10delivered to the resident online when the resident is connected to
11the online account from an Internet Protocol address or online
12location from which the agency knows the resident customarily
13accesses the account.

14(e) Any agency that is required to issue a security breach
15notification pursuant to this section to more than 500 California
16residents as a result of a single breach of the security system shall
17electronically submit a single sample copy of that security breach
18notification, excluding any personally identifiable information, to
19the Attorney General. A single sample copy of a security breach
20notification shall not be deemed to be within subdivision (f) of
21Section 6254 of the Government Code.

22(f) For purposes of this section, “breach of the security of the
23system” means unauthorized acquisition of computerized data that
24compromises the security, confidentiality, or integrity of personal
25information maintained by the agency. Good faith acquisition of
26personal information by an employee or agent of the agency for
27the purposes of the agency is not a breach of the security of the
28system, provided that the personal information is not used or
29subject to further unauthorized disclosure.

30(g) For purposes of this section, “personal information” means
31either of the following:

32(1) An individual’s first name or first initial and last name in
33combination with any one or more of the following data elements,
34when either the name or the data elements are not encrypted:

35(A) Social security number.

36(B) Driver’s license number or California identification card
37number.

38(C) Account number, credit or debit card number, in
39combination with any required security code, access code, or
P6    1password that would permit access to an individual’s financial
2account.

3(D) Medical information.

4(E) Health insurance information.

5(F) Information or data collected through the use or operation
6of an automated license plate recognition system, as defined in
7Section 1798.90.5.

8(2) A user name or email address, in combination with a
9password or security question and answer that would permit access
10to an online account.

11(h) (1) For purposes of this section, “personal information”
12does not include publicly available information that is lawfully
13made available to the general public from federal, state, or local
14government records.

15(2) For purposes of this section, “medical information” means
16any information regarding an individual’s medical history, mental
17or physical condition, or medical treatment or diagnosis by a health
18care professional.

19(3) For purposes of this section, “health insurance information”
20means an individual’s health insurance policy number or subscriber
21identification number, any unique identifier used by a health insurer
22to identify the individual, or any information in an individual’s
23application and claims history, including any appeals records.

24(i) For purposes of this section, “notice” may be provided by
25one of the following methods:

26(1) Written notice.

27(2) Electronic notice, if the notice provided is consistent with
28the provisions regarding electronic records and signatures set forth
29in Section 7001 of Title 15 of the United States Code.

30(3) Substitute notice, if the agency demonstrates that the cost
31of providing notice would exceed two hundred fifty thousand
32dollars ($250,000), or that the affected class of subject persons to
33be notified exceeds 500,000, or the agency does not have sufficient
34contact information. Substitute notice shall consist of all of the
35following:

36(A) Email notice when the agency has an email address for the
37subject persons.

38(B) Conspicuous posting of the notice on the agency’s Internet
39Web site page, if the agency maintains one.

P7    1(C) Notification to major statewide media and the Office of
2Information Security within the Department of Technology.

3(j) Notwithstanding subdivision (i), an agency that maintains
4its own notification procedures as part of an information security
5policy for the treatment of personal information and is otherwise
6consistent with the timing requirements of this part shall be deemed
7to be in compliance with the notification requirements of this
8section if it notifies subject persons in accordance with its policies
9in the event of a breach of security of the system.

10(k) Notwithstanding the exception specified in paragraph (4) of
11subdivision (b) of Section 1798.3, for purposes of this section,
12“agency” includes a local agency, as defined in subdivision (a) of
13Section 6252 of the Government Code.

16

1798.29.  

(a) Any agency that owns or licenses computerized
17data that includes personal information shall disclose any breach
18of the security of the system following discovery or notification
19of the breach in the security of the data to any resident of California
20whose unencrypted personal information was, or is reasonably
21believed to have been, acquired by an unauthorized person. The
22disclosure shall be made in the most expedient time possible and
23without unreasonable delay, consistent with the legitimate needs
24of law enforcement, as provided in subdivision (c), or any measures
25necessary to determine the scope of the breach and restore the
26reasonable integrity of the data system.

27(b) Any agency that maintains computerized data that includes
28personal information that the agency does not own shall notify the
29owner or licensee of the information of any breach of the security
30of the data immediately following discovery, if the personal
31information was, or is reasonably believed to have been, acquired
32by an unauthorized person.

33(c) The notification required by this section may be delayed if
34a law enforcement agency determines that the notification will
35impede a criminal investigation. The notification required by this
36section shall be made after the law enforcement agency determines
37that it will not compromise the investigation.

38(d) Any agency that is required to issue a security breach
39notification pursuant to this section shall meet all of the following
40requirements:

P8    1(1) The security breach notification shall be written in plain
2begin delete language.end deletebegin insert language, shall be titled “Notice of Data Breach,” and
3shall present the information described in paragraph (2) under
4the following headings: “What Happened,” “What Information
5Was Involved,” “What We Are Doing,” “What You Can Do,” and
6“For More Information.” Additional information may be provided
7as a supplement to the notice.end insert

begin insert

8(A) The format of the notice shall be designed to call attention
9to the nature and significance of the information it contains.

end insertbegin insert

10(B) The title and headings in the notice shall be clearly and
11 conspicuously displayed.

end insertbegin insert

12(C) The text of the notice and any other notice provided pursuant
13to this section shall be no smaller than 10-point type.

end insertbegin insert

14(D) For a written notice described in paragraph (1) of
15subdivision (i), use of the model security breach notification form
16prescribed below or use of the headings described in this
17paragraph with the information described in paragraph (2), written
18in plain language, shall be deemed to be in compliance with this
19subdivision.

end insert
20
begin insertend insert
begin insert

28(E) For an electronic notice described in paragraph (2) of
29subdivision (i), use of the headings described in this paragraph
30with the information described in paragraph (2), written in plain
31language, shall be deemed to be in compliance with this
32subdivision.

end insert

33(2) The security breach notificationbegin insert described in paragraph (1)end insert
34 shall include, at a minimum, the following information:

35(A) The name and contact information of the reporting agency
36subject to this section.

37(B) A list of the types of personal information that were or are
38reasonably believed to have been the subject of a breach.

P10   1(C) If the information is possible to determine at the time the
2notice is provided, then any of the following: (i) the date of the
3breach, (ii) the estimated date of the breach, or (iii) the date range
4within which the breach occurred. The notification shall also
5include the date of the notice.

6(D) Whether the notification was delayed as a result of a law
7enforcement investigation, if that information is possible to
8 determine at the time the notice is provided.

9(E) A general description of the breach incident, if that
10information is possible to determine at the time the notice is
11provided.

12(F) The toll-free telephone numbers and addresses of the major
13credit reporting agencies, if the breach exposed a social security
14number or a driver’s license or California identification card
15number.

16(3) At the discretion of the agency, the security breach
17notification may also include any of the following:

18(A) Information about what the agency has done to protect
19individuals whose information has been breached.

20(B) Advice on steps that the person whose information has been
21breached may take to protect himself or herself.

begin delete end deletebegin delete

22(4) In the case of a breach of the security of the system involving
23personal information defined in paragraph (2) of subdivision (g)
24for an online account, and no other personal information defined
25in paragraph (1) of subdivision (g), the agency may comply with
26this section by providing the security breach notification in
27electronic or other form that directs the person whose personal
28information has been breached to promptly change his or her
29password and security question or answer, as applicable, or to take
30other steps appropriate to protect the online account with the
31agency and all other online accounts for which the person uses the
32same user name or email address and password or security question
33or answer.

end deletebegin delete end deletebegin delete end deletebegin delete

34(5) In the case of a breach of the security of the system involving
35personal information defined in paragraph (2) of subdivision (g)
36for login credentials of an email account furnished by the agency,
37the agency shall not comply with this section by providing the
38security breach notification to that email address, but may, instead,
39comply with this section by providing notice by another method
40described in subdivision (i) or by clear and conspicuous notice
P11   1delivered to the resident online when the resident is connected to
2the online account from an Internet Protocol address or online
3location from which the agency knows the resident customarily
4accesses the account.

end deletebegin delete end delete

5(e) Any agency that is required to issue a security breach
6notification pursuant to this section to more than 500 California
7residents as a result of a single breach of the security system shall
8electronically submit a single sample copy of that security breach
9notification, excluding any personally identifiable information, to
10the Attorney General. A single sample copy of a security breach
11notification shall not be deemed to be within subdivision (f) of
12Section 6254 of the Government Code.

13(f) For purposes of this section, “breach of the security of the
14system” means unauthorized acquisition of computerized data that
15compromises the security, confidentiality, or integrity of personal
16information maintained by the agency. Good faith acquisition of
17personal information by an employee or agent of the agency for
18the purposes of the agency is not a breach of the security of the
19system, provided that the personal information is not used or
20subject to further unauthorized disclosure.

21(g) For purposes of this section, “personal information” means
22either of the following:

23(1) An individual’s first name or first initial and last name in
24combination with any one or more of the following data elements,
25when either the name or the data elements are not encrypted:

26(A) Social security number.

27(B) Driver’s license number or California identification card
28number.

29(C) Account number, credit or debit card number, in
30combination with any required security code, access code, or
31password that would permit access to an individual’s financial
32account.

33(D) Medical information.

34(E) Health insurance information.

begin insert

35(F) Information or data collected through the use or operation
36of an automated license plate recognition system, as defined in
37Section 1798.90.5.

end insert

38(2) A user name or email address, in combination with a
39password or security question and answer that would permit access
40to an online account.

P12   1(h) (1) For purposes of this section, “personal information”
2does not include publicly available information that is lawfully
3made available to the general public from federal, state, or local
4government records.

5(2) For purposes of this section, “medical information” means
6any information regarding an individual’s medical history, mental
7or physical condition, or medical treatment or diagnosis by a health
8care professional.

9(3) For purposes of this section, “health insurance information”
10means an individual’s health insurance policy number or subscriber
11identification number, any unique identifier used by a health insurer
12to identify the individual, or any information in an individual’s
13application and claims history, including any appeals records.

14(i) For purposes of this section, “notice” may be provided by
15one of the following methods:

16(1) Written notice.

17(2) Electronic notice, if the notice provided is consistent with
18the provisions regarding electronic records and signatures set forth
19in Section 7001 of Title 15 of the United States Code.

20(3) Substitute notice, if the agency demonstrates that the cost
21of providing notice would exceed two hundred fifty thousand
22dollars ($250,000), or that the affected class of subject persons to
23be notified exceeds 500,000, or the agency does not have sufficient
24contact information. Substitute notice shall consist of all of the
25following:

26(A) Email notice when the agency has an email address for the
27subject persons.

28(B) Conspicuousbegin delete postingend deletebegin insert posting, for a minimum of 30 days, end insertof
29the notice on the agency’s Internet Web site page, if the agency
30maintains one.begin insert For purposes of this subparagraph, conspicuous
31posting on the agency’s Internet Web site means providing a link
32to the notice on the home page or first significant page after
33entering the Internet Web site that is in larger type than the
34surrounding text, or in contrasting type, font, or color to the
35surrounding text of the same size, or set off from the surrounding
36text of the same size by symbols or other marks that call attention
37to the link.end insert

38(C) Notification to major statewide media and the Office of
39Information Security within the Department of Technology.

begin insert

P13   1(4) In the case of a breach of the security of the system involving
2personal information defined in paragraph (2) of subdivision (g)
3for an online account, and no other personal information defined
4in paragraph (1) of subdivision (g), the agency may comply with
5this section by providing the security breach notification in
6electronic or other form that directs the person whose personal
7information has been breached to promptly change his or her
8password and security question or answer, as applicable, or to
9take other steps appropriate to protect the online account with the
10agency and all other online accounts for which the person uses
11the same user name or email address and password or security
12question or answer.

end insertbegin insert

13(5) In the case of a breach of the security of the system involving
14 personal information defined in paragraph (2) of subdivision (g)
15for login credentials of an email account furnished by the agency,
16the agency shall not comply with this section by providing the
17security breach notification to that email address, but may, instead,
18comply with this section by providing notice by another method
19described in this subdivision or by clear and conspicuous notice
20delivered to the resident online when the resident is connected to
21the online account from an Internet Protocol address or online
22location from which the agency knows the resident customarily
23accesses the account.

end insert

24(j) Notwithstanding subdivision (i), an agency that maintains
25its own notification procedures as part of an information security
26policy for the treatment of personal information and is otherwise
27consistent with the timing requirements of this part shall be deemed
28to be in compliance with the notification requirements of this
29 section if it notifies subject persons in accordance with its policies
30in the event of a breach of security of the system.

31(k) Notwithstanding the exception specified in paragraph (4) of
32subdivision (b) of Section 1798.3, for purposes of this section,
33“agency” includes a local agency, as defined in subdivision (a) of
34Section 6252 of the Government Code.

37

1798.29.  

(a) Any agency that owns or licenses computerized
38data that includes personal information shall disclose any breach
39of the security of the system following discovery or notification
40of the breach in the security of the data to any resident of California
P14   1whose unencrypted personal information was, or is reasonably
2believed to have been, acquired by an unauthorized person. The
3disclosure shall be made in the most expedient time possible and
4without unreasonable delay, consistent with the legitimate needs
5of law enforcement, as provided in subdivision (c), or any measures
6necessary to determine the scope of the breach and restore the
7reasonable integrity of the data system.

8(b) Any agency that maintains computerized data that includes
9personal information that the agency does not own shall notify the
10owner or licensee of the information of any breach of the security
11of the data immediately following discovery, if the personal
12information was, or is reasonably believed to have been, acquired
13by an unauthorized person.

14(c) The notification required by this section may be delayed if
15a law enforcement agency determines that the notification will
16impede a criminal investigation. The notification required by this
17section shall be made after the law enforcement agency determines
18that it will not compromise the investigation.

19(d) Any agency that is required to issue a security breach
20notification pursuant to this section shall meet all of the following
21requirements:

22(1) The security breach notification shall be written in plain
23language.

24(2) The security breach notification shall include, at a minimum,
25the following information:

26(A) The name and contact information of the reporting agency
27subject to this section.

28(B) A list of the types of personal information that were or are
29reasonably believed to have been the subject of a breach.

30(C) If the information is possible to determine at the time the
31notice is provided, then any of the following: (i) the date of the
32breach, (ii) the estimated date of the breach, or (iii) the date range
33within which the breach occurred. The notification shall also
34include the date of the notice.

35(D) Whether the notification was delayed as a result of a law
36enforcement investigation, if that information is possible to
37determine at the time the notice is provided.

38(E) A general description of the breach incident, if that
39information is possible to determine at the time the notice is
40provided.

P15   1(F) The toll-free telephone numbers and addresses of the major
2credit reporting agencies, if the breach exposed a social security
3number or a driver’s license or California identification card
4number.

5(3) At the discretion of the agency, the security breach
6notification may also include any of the following:

7(A) Information about what the agency has done to protect
8individuals whose information has been breached.

9(B) Advice on steps that the person whose information has been
10breached may take to protect himself or herself.

11(4) In the case of a breach of the security of the system involving
12personal information defined in paragraph (2) of subdivision (g)
13for an online account, and no other personal information defined
14in paragraph (1) of subdivision (g), the agency may comply with
15this section by providing the security breach notification in
16electronic or other form that directs the person whose personal
17information has been breached to promptly change his or her
18password and security question or answer, as applicable, or to take
19other steps appropriate to protect the online account with the
20agency and all other online accounts for which the person uses the
21same user name or email address and password or security question
22or answer.

23(5) In the case of a breach of the security of the system involving
24personal information defined in paragraph (2) of subdivision (g)
25 for login credentials of an email account furnished by the agency,
26the agency shall not comply with this section by providing the
27security breach notification to that email address, but may, instead,
28comply with this section by providing notice by another method
29described in subdivision (i) or by clear and conspicuous notice
30delivered to the resident online when the resident is connected to
31the online account from an Internet Protocol address or online
32location from which the agency knows the resident customarily
33accesses the account.

34(e) Any agency that is required to issue a security breach
35notification pursuant to this section to more than 500 California
36residents as a result of a single breach of the security system shall
37electronically submit a single sample copy of that security breach
38notification, excluding any personally identifiable information, to
39the Attorney General. A single sample copy of a security breach
P16   1notification shall not be deemed to be within subdivision (f) of
2Section 6254 of the Government Code.

3(f) For purposes of this section, “breach of the security of the
4system” means unauthorized acquisition of computerized data that
5compromises the security, confidentiality, or integrity of personal
6information maintained by the agency. Good faith acquisition of
7personal information by an employee or agent of the agency for
8the purposes of the agency is not a breach of the security of the
9system, provided that the personal information is not used or
10subject to further unauthorized disclosure.

11(g) For purposes of this section, “personal information” means
12either of the following:

13(1) An individual’s first name or first initial and last name in
14combination with any one or more of the following data elements,
15when either the name or the data elements are not encrypted:

16(A) Social security number.

17(B) Driver’s license number or California identification card
18number.

19(C) Account number, credit or debit card number, in
20combination with any required security code, access code, or
21password that would permit access to an individual’s financial
22account.

23(D) Medical information.

24(E) Health insurance information.

begin insert

25(F) Information or data collected through the use or operation
26of an automated license plate recognition system, as defined in
27Section 1798.90.5.

end insert

28(2) A user name or email address, in combination with a
29password or security question and answer that would permit access
30to an online account.

31(h) (1) For purposes of this section, “personal information”
32does not include publicly available information that is lawfully
33made available to the general public from federal, state, or local
34government records.

35(2) For purposes of this section, “medical information” means
36any information regarding an individual’s medical history, mental
37or physical condition, or medical treatment or diagnosis by a health
38care professional.

39(3) For purposes of this section, “health insurance information”
40means an individual’s health insurance policy number or subscriber
P17   1identification number, any unique identifier used by a health insurer
2to identify the individual, or any information in an individual’s
3application and claims history, including any appeals records.

begin insert

4(4) For purposes of this section, “encrypted” means rendered
5unusable, unreadable, or indecipherable to an unauthorized person
6through a security technology or methodology generally accepted
7in the field of information security.

end insert

8(i) For purposes of this section, “notice” may be provided by
9one of the following methods:

10(1) Written notice.

11(2) Electronic notice, if the notice provided is consistent with
12the provisions regarding electronic records and signatures set forth
13in Section 7001 of Title 15 of the United States Code.

14(3) Substitute notice, if the agency demonstrates that the cost
15of providing notice would exceed two hundred fifty thousand
16dollars ($250,000), or that the affected class of subject persons to
17be notified exceeds 500,000, or the agency does not have sufficient
18contact information. Substitute notice shall consist of all of the
19following:

20(A) Email notice when the agency has an email address for the
21subject persons.

22(B) Conspicuous posting of the notice on the agency’s Internet
23Web site page, if the agency maintains one.

24(C) Notification to major statewide media and the Office of
25Information Security within the Department of Technology.

26(j) Notwithstanding subdivision (i), an agency that maintains
27its own notification procedures as part of an information security
28policy for the treatment of personal information and is otherwise
29consistent with the timing requirements of this part shall be deemed
30to be in compliance with the notification requirements of this
31section if it notifies subject persons in accordance with its policies
32in the event of a breach of security of the system.

33(k) Notwithstanding the exception specified in paragraph (4) of
34subdivision (b) of Section 1798.3, for purposes of this section,
35“agency” includes a local agency, as defined in subdivision (a) of
36Section 6252 of the Government Code.

39

1798.29.  

(a) Any agency that owns or licenses computerized
40data that includes personal information shall disclose any breach
P18   1of the security of the system following discovery or notification
2of the breach in the security of the data to any resident of California
3whose unencrypted personal information was, or is reasonably
4believed to have been, acquired by an unauthorized person. The
5disclosure shall be made in the most expedient time possible and
6without unreasonable delay, consistent with the legitimate needs
7of law enforcement, as provided in subdivision (c), or any measures
8necessary to determine the scope of the breach and restore the
9reasonable integrity of the data system.

10(b) Any agency that maintains computerized data that includes
11personal information that the agency does not own shall notify the
12owner or licensee of the information of any breach of the security
13of the data immediately following discovery, if the personal
14information was, or is reasonably believed to have been, acquired
15by an unauthorized person.

16(c) The notification required by this section may be delayed if
17a law enforcement agency determines that the notification will
18impede a criminal investigation. The notification required by this
19section shall be made after the law enforcement agency determines
20that it will not compromise the investigation.

21(d) Any agency that is required to issue a security breach
22notification pursuant to this section shall meet all of the following
23requirements:

24(1) The security breach notification shall be written in plain
25begin delete language.end deletebegin insert language, shall be titled “Notice of Data Breach,” and
26shall present the information described in paragraph (2) under
27the following headings: “What Happened,” “What Information
28Was Involved,” “What We Are Doing,” “What You Can Do,” and
29“For More Information.” Additional information may be provided
30as a supplement to the notice.end insert

begin insert

31(A) The format of the notice shall be designed to call attention
32to the nature and significance of the information it contains.

end insertbegin insert

33(B) The title and headings in the notice shall be clearly and
34 conspicuously displayed.

end insertbegin insert

35(C) The text of the notice and any other notice provided pursuant
36to this section shall be no smaller than 10-point type.

end insertbegin insert

37(D) For a written notice described in paragraph (1) of
38subdivision (i), use of the model security breach notification form
39prescribed below or use of the headings described in this
40paragraph with the information described in paragraph (2), written
P19   1in plain language, shall be deemed to be in compliance with this
2subdivision.

end insert
3
begin insertend insert
begin insert

11(E) For an electronic notice described in paragraph (2) of
12subdivision (i), use of the headings described in this paragraph
13with the information described in paragraph (2), written in plain
14language, shall be deemed to be in compliance with this
15subdivision.

end insert

16(2) The security breach notificationbegin insert described in paragraph (1)end insert
17 shall include, at a minimum, the following information:

18(A) The name and contact information of the reporting agency
19subject to this section.

20(B) A list of the types of personal information that were or are
21reasonably believed to have been the subject of a breach.

22(C) If the information is possible to determine at the time the
23notice is provided, then any of the following: (i) the date of the
24breach, (ii) the estimated date of the breach, or (iii) the date range
25within which the breach occurred. The notification shall also
26include the date of the notice.

27(D) Whether the notification was delayed as a result of a law
28enforcement investigation, if that information is possible to
29 determine at the time the notice is provided.

30(E) A general description of the breach incident, if that
31information is possible to determine at the time the notice is
32provided.

33(F) The toll-free telephone numbers and addresses of the major
34credit reporting agencies, if the breach exposed a social security
35number or a driver’s license or California identification card
36number.

37(3) At the discretion of the agency, the security breach
38notification may also include any of the following:

P21   1(A) Information about what the agency has done to protect
2individuals whose information has been breached.

3(B) Advice on steps that the person whose information has been
4breached may take to protect himself or herself.

begin delete end deletebegin delete

5(4) In the case of a breach of the security of the system involving
6personal information defined in paragraph (2) of subdivision (g)
7for an online account, and no other personal information defined
8in paragraph (1) of subdivision (g), the agency may comply with
9this section by providing the security breach notification in
10electronic or other form that directs the person whose personal
11information has been breached to promptly change his or her
12password and security question or answer, as applicable, or to take
13other steps appropriate to protect the online account with the
14agency and all other online accounts for which the person uses the
15same user name or email address and password or security question
16or answer.

end deletebegin delete end deletebegin delete end deletebegin delete

17(5) In the case of a breach of the security of the system involving
18personal information defined in paragraph (2) of subdivision (g)
19for login credentials of an email account furnished by the agency,
20the agency shall not comply with this section by providing the
21security breach notification to that email address, but may, instead,
22comply with this section by providing notice by another method
23described in subdivision (i) or by clear and conspicuous notice
24delivered to the resident online when the resident is connected to
25the online account from an Internet Protocol address or online
26location from which the agency knows the resident customarily
27accesses the account.

end deletebegin delete end delete

28(e) Any agency that is required to issue a security breach
29notification pursuant to this section to more than 500 California
30residents as a result of a single breach of the security system shall
31electronically submit a single sample copy of that security breach
32notification, excluding any personally identifiable information, to
33the Attorney General. A single sample copy of a security breach
34notification shall not be deemed to be within subdivision (f) of
35Section 6254 of the Government Code.

36(f) For purposes of this section, “breach of the security of the
37system” means unauthorized acquisition of computerized data that
38compromises the security, confidentiality, or integrity of personal
39information maintained by the agency. Good faith acquisition of
40personal information by an employee or agent of the agency for
P22   1the purposes of the agency is not a breach of the security of the
2system, provided that the personal information is not used or
3subject to further unauthorized disclosure.

4(g) For purposes of this section, “personal information” means
5either of the following:

6(1) An individual’s first name or first initial and last name in
7combination with any one or more of the following data elements,
8when either the name or the data elements are not encrypted:

9(A) Social security number.

10(B) Driver’s license number or California identification card
11number.

12(C) Account number, credit or debit card number, in
13combination with any required security code, access code, or
14password that would permit access to an individual’s financial
15account.

16(D) Medical information.

17(E) Health insurance information.

begin insert

18(F) Information or data collected through the use or operation
19of an automated license plate recognition system, as defined in
20Section 1798.90.5.

end insert

21(2) A user name or email address, in combination with a
22password or security question and answer that would permit access
23to an online account.

24(h) (1) For purposes of this section, “personal information”
25does not include publicly available information that is lawfully
26made available to the general public from federal, state, or local
27government records.

28(2) For purposes of this section, “medical information” means
29any information regarding an individual’s medical history, mental
30or physical condition, or medical treatment or diagnosis by a health
31care professional.

32(3) For purposes of this section, “health insurance information”
33means an individual’s health insurance policy number or subscriber
34identification number, any unique identifier used by a health insurer
35to identify the individual, or any information in an individual’s
36application and claims history, including any appeals records.

begin insert

37(4) For purposes of this section, “encrypted” means rendered
38unusable, unreadable, or indecipherable to an unauthorized person
39through a security technology or methodology generally accepted
40in the field of information security.

end insert

P23   1(i) For purposes of this section, “notice” may be provided by
2one of the following methods:

3(1) Written notice.

4(2) Electronic notice, if the notice provided is consistent with
5the provisions regarding electronic records and signatures set forth
6in Section 7001 of Title 15 of the United States Code.

7(3) Substitute notice, if the agency demonstrates that the cost
8of providing notice would exceed two hundred fifty thousand
9dollars ($250,000), or that the affected class of subject persons to
10be notified exceeds 500,000, or the agency does not have sufficient
11contact information. Substitute notice shall consist of all of the
12following:

13(A) Email notice when the agency has an email address for the
14subject persons.

15(B) Conspicuousbegin delete postingend deletebegin insert posting, for a minimumend insertbegin insert of 30 days,end insert of
16the notice on the agency’s Internet Web site page, if the agency
17maintains one.begin insert For purposes of this subparagraph, conspicuous
18posting on the agency’s Internet Web site means providing a link
19to the notice on the home page or first significant page after
20entering the Internet Web site that is in larger type than the
21surrounding text, or in contrasting type, font, or color to the
22surrounding text of the same size, or set off from the surrounding
23text of the same size by symbols or other marks that call attention
24to the link.end insert

25(C) Notification to major statewide media and the Office of
26Information Security within the Department of Technology.

begin insert

27(4) In the case of a breach of the security of the system involving
28personal information defined in paragraph (2) of subdivision (g)
29for an online account, and no other personal information defined
30in paragraph (1) of subdivision (g), the agency may comply with
31this section by providing the security breach notification in
32electronic or other form that directs the person whose personal
33information has been breached to promptly change his or her
34password and security question or answer, as applicable, or to
35take other steps appropriate to protect the online account with the
36agency and all other online accounts for which the person uses
37the same user name or email address and password or security
38question or answer.

end insertbegin insert

39(5) In the case of a breach of the security of the system involving
40personal information defined in paragraph (2) of subdivision (g)
P24   1for login credentials of an email account furnished by the agency,
2the agency shall not comply with this section by providing the
3security breach notification to that email address, but may, instead,
4comply with this section by providing notice by another method
5described in this subdivision or by clear and conspicuous notice
6delivered to the resident online when the resident is connected to
7the online account from an Internet Protocol address or online
8location from which the agency knows the resident customarily
9accesses the account.

end insert

10(j) Notwithstanding subdivision (i), an agency that maintains
11its own notification procedures as part of an information security
12policy for the treatment of personal information and is otherwise
13 consistent with the timing requirements of this part shall be deemed
14to be in compliance with the notification requirements of this
15section if it notifies subject persons in accordance with its policies
16in the event of a breach of security of the system.

17(k) Notwithstanding the exception specified in paragraph (4) of
18subdivision (b) of Section 1798.3, for purposes of this section,
19“agency” includes a local agency, as defined in subdivision (a) of
20Section 6252 of the Government Code.

22

1798.82.  

(a) A person or business that conducts business in
23California, and that owns or licenses computerized data that
24includes personal information, shall disclose a breach of the
25security of the system following discovery or notification of the
26breach in the security of the data to a resident of California whose
27unencrypted personal information was, or is reasonably believed
28to have been, acquired by an unauthorized person. The disclosure
29shall be made in the most expedient time possible and without
30unreasonable delay, consistent with the legitimate needs of law
31enforcement, as provided in subdivision (c), or any measures
32necessary to determine the scope of the breach and restore the
33reasonable integrity of the data system.

34(b) A person or business that maintains computerized data that
35includes personal information that the person or business does not
36own shall notify the owner or licensee of the information of the
37breach of the security of the data immediately following discovery,
38if the personal information was, or is reasonably believed to have
39been, acquired by an unauthorized person.

P25   1(c) The notification required by this section may be delayed if
2a law enforcement agency determines that the notification will
3impede a criminal investigation. The notification required by this
4section shall be made promptly after the law enforcement agency
5determines that it will not compromise the investigation.

6(d) A person or business that is required to issue a security
7breach notification pursuant to this section shall meet all of the
8following requirements:

9(1) The security breach notification shall be written in plain
10language.

11(2) The security breach notification shall include, at a minimum,
12the following information:

13(A) The name and contact information of the reporting person
14or business subject to this section.

15(B) A list of the types of personal information that were or are
16reasonably believed to have been the subject of a breach.

17(C) If the information is possible to determine at the time the
18notice is provided, then any of the following: (i) the date of the
19breach, (ii) the estimated date of the breach, or (iii) the date range
20within which the breach occurred. The notification shall also
21include the date of the notice.

22(D) Whether notification was delayed as a result of a law
23enforcement investigation, if that information is possible to
24determine at the time the notice is provided.

25(E) A general description of the breach incident, if that
26information is possible to determine at the time the notice is
27provided.

28(F) The toll-free telephone numbers and addresses of the major
29credit reporting agencies if the breach exposed a social security
30number or a driver’s license or California identification card
31number.

32(G) If the person or business providing the notification was the
33source of the breach, an offer to provide appropriate identity theft
34prevention and mitigation services, if any, shall be provided at no
35cost to the affected person for not less than 12 months, along with
36all information necessary to take advantage of the offer to any
37person whose information was or may have been breached if the
38breach exposed or may have exposed personal information defined
39in subparagraphs (A) and (B) of paragraph (1) of subdivision (h).

P26   1(3) At the discretion of the person or business, the security
2breach notification may also include any of the following:

3(A) Information about what the person or business has done to
4protect individuals whose information has been breached.

5(B) Advice on steps that the person whose information has been
6breached may take to protect himself or herself.

7(4) In the case of a breach of the security of the system involving
8personal information defined in paragraph (2) of subdivision (h)
9for an online account, and no other personal information defined
10in paragraph (1) of subdivision (h), the person or business may
11comply with this section by providing the security breach
12notification in electronic or other form that directs the person whose
13personal information has been breached promptly to change his
14or her password and security question or answer, as applicable, or
15to take other steps appropriate to protect the online account with
16the person or business and all other online accounts for which the
17person whose personal information has been breached uses the
18same user name or email address and password or security question
19or answer.

20(5) In the case of a breach of the security of the system involving
21personal information defined in paragraph (2) of subdivision (h)
22for login credentials of an email account furnished by the person
23or business, the person or business shall not comply with this
24section by providing the security breach notification to that email
25address, but may, instead, comply with this section by providing
26notice by another method described in subdivision (j) or by clear
27and conspicuous notice delivered to the resident online when the
28resident is connected to the online account from an Internet
29Protocol address or online location from which the person or
30business knows the resident customarily accesses the account.

31(e) A covered entity under the federal Health Insurance
32Portability and Accountability Act of 1996 (42 U.S.C. Sec. 1320d
33et seq.) will be deemed to have complied with the notice
34requirements in subdivision (d) if it has complied completely with
35Section 13402(f) of the federal Health Information Technology
36for Economic and Clinical Health Act (Public Law 111-5).
37However, nothing in this subdivision shall be construed to exempt
38a covered entity from any other provision of this section.

39(f) A person or business that is required to issue a security breach
40notification pursuant to this section to more than 500 California
P27   1residents as a result of a single breach of the security system shall
2electronically submit a single sample copy of that security breach
3notification, excluding any personally identifiable information, to
4the Attorney General. A single sample copy of a security breach
5notification shall not be deemed to be within subdivision (f) of
6Section 6254 of the Government Code.

7(g) For purposes of this section, “breach of the security of the
8system” means unauthorized acquisition of computerized data that
9compromises the security, confidentiality, or integrity of personal
10information maintained by the person or business. Good faith
11acquisition of personal information by an employee or agent of
12the person or business for the purposes of the person or business
13is not a breach of the security of the system, provided that the
14personal information is not used or subject to further unauthorized
15disclosure.

16(h) For purposes of this section, “personal information” means
17either of the following:

18(1) An individual’s first name or first initial and last name in
19combination with any one or more of the following data elements,
20when either the name or the data elements are not encrypted:

21(A) Social security number.

22(B) Driver’s license number or California identification card
23number.

24(C) Account number, credit or debit card number, in
25combination with any required security code, access code, or
26password that would permit access to an individual’s financial
27account.

28(D) Medical information.

29(E) Health insurance information.

30(F) Information or data collected through the use or operation
31of an automated license plate recognition system, as defined in
32Section 1798.90.5.

33(2) A user name or email address, in combination with a
34password or security question and answer that would permit access
35to an online account.

36(i) (1) For purposes of this section, “personal information” does
37not include publicly available information that is lawfully made
38available to the general public from federal, state, or local
39government records.

P28   1(2) For purposes of this section, “medical information” means
2any information regarding an individual’s medical history, mental
3 or physical condition, or medical treatment or diagnosis by a health
4care professional.

5(3) For purposes of this section, “health insurance information”
6means an individual’s health insurance policy number or subscriber
7identification number, any unique identifier used by a health insurer
8to identify the individual, or any information in an individual’s
9application and claims history, including any appeals records.

10(j) For purposes of this section, “notice” may be provided by
11one of the following methods:

12(1) Written notice.

13(2) Electronic notice, if the notice provided is consistent with
14the provisions regarding electronic records and signatures set forth
15in Section 7001 of Title 15 of the United States Code.

16(3) Substitute notice, if the person or business demonstrates that
17the cost of providing notice would exceed two hundred fifty
18thousand dollars ($250,000), or that the affected class of subject
19persons to be notified exceeds 500,000, or the person or business
20does not have sufficient contact information. Substitute notice
21shall consist of all of the following:

22(A) Email notice when the person or business has an email
23address for the subject persons.

24(B) Conspicuous posting of the notice on the Internet Web site
25page of the person or business, if the person or business maintains
26one.

27(C) Notification to major statewide media.

28(k) Notwithstanding subdivision (j), a person or business that
29maintains its own notification procedures as part of an information
30security policy for the treatment of personal information and is
31otherwise consistent with the timing requirements of this part, shall
32be deemed to be in compliance with the notification requirements
33of this section if the person or business notifies subject persons in
34accordance with its policies in the event of a breach of security of
35the system.

38

1798.82.  

(a) A person or business that conducts business in
39 California, and that owns or licenses computerized data that
40includes personal information, shall disclose a breach of the
P29   1security of the system following discovery or notification of the
2breach in the security of the data to a resident of California whose
3unencrypted personal information was, or is reasonably believed
4to have been, acquired by an unauthorized person. The disclosure
5shall be made in the most expedient time possible and without
6unreasonable delay, consistent with the legitimate needs of law
7enforcement, as provided in subdivision (c), or any measures
8necessary to determine the scope of the breach and restore the
9reasonable integrity of the data system.

10(b) A person or business that maintains computerized data that
11includes personal information that the person or business does not
12own shall notify the owner or licensee of the information of the
13breach of the security of the data immediately following discovery,
14if the personal information was, or is reasonably believed to have
15been, acquired by an unauthorized person.

16(c) The notification required by this section may be delayed if
17a law enforcement agency determines that the notification will
18impede a criminal investigation. The notification required by this
19section shall be made promptly after the law enforcement agency
20determines that it will not compromise the investigation.

21(d) A person or business that is required to issue a security
22breach notification pursuant to this section shall meet all of the
23following requirements:

24(1) The security breach notification shall be written in plain
25begin delete language.end deletebegin insert language, shall be titled “Notice of Data Breach,” and
26shall present the information described in paragraph (2) under
27the following headings: “What Happened,” “What Information
28Was Involved,” “What We Are Doing,” “What You Can Do,” and
29“For More Information.” Additional information may be provided
30as a supplement to the notice.end insert

begin insert

31(A) The format of the notice shall be designed to call attention
32to the nature and significance of the information it contains.

end insertbegin insert

33(B) The title and headings in the notice shall be clearly and
34 conspicuously displayed.

end insertbegin insert

35(C) The text of the notice and any other notice provided pursuant
36to this section shall be no smaller than 10-point type.

end insertbegin insert

37(D) For a written notice described in paragraph (1) of
38subdivision (j), use of the model security breach notification form
39prescribed below or use of the headings described in this
40paragraph with the information described in paragraph (2), written
P30   1in plain language, shall be deemed to be in compliance with this
2subdivision.

end insert
3
begin insertend insert
begin insert

11(E) For an electronic notice described in paragraph (2) of
12subdivision (j), use of the headings described in this paragraph
13with the information described in paragraph (2), written in plain
14language, shall be deemed to be in compliance with this
15subdivision.

end insert

16(2) The security breach notificationbegin insert described in paragraph (1)end insert
17 shall include, at a minimum, the following information:

18(A) The name and contact information of the reporting person
19or business subject to this section.

20(B) A list of the types of personal information that were or are
21reasonably believed to have been the subject of a breach.

22(C) If the information is possible to determine at the time the
23notice is provided, then any of the following: (i) the date of the
24breach, (ii) the estimated date of the breach, or (iii) the date range
25within which the breach occurred. The notification shall also
26include the date of the notice.

27(D) Whether notification was delayed as a result of a law
28enforcement investigation, if that information is possible to
29 determine at the time the notice is provided.

30(E) A general description of the breach incident, if that
31information is possible to determine at the time the notice is
32provided.

33(F) The toll-free telephone numbers and addresses of the major
34credit reporting agencies if the breach exposed a social security
35number or a driver’s license or California identification card
36number.

37(G) If the person or business providing the notification was the
38source of the breach, an offer to provide appropriate identity theft
39prevention and mitigation services, if any, shall be provided at no
P32   1cost to the affected person for not less than 12begin delete months,end deletebegin insert monthsend insert
2 along with all information necessary to take advantage of the offer
3to any person whose information was or may have been breached
4if the breach exposed or may have exposed personal information
5defined in subparagraphs (A) and (B) of paragraph (1) of
6subdivision (h).

7(3) At the discretion of the person or business, the security
8breach notification may also include any of the following:

9(A) Information about what the person or business has done to
10protect individuals whose information has been breached.

11(B) Advice on steps that the person whose information has been
12breached may take to protect himself or herself.

begin delete end deletebegin delete

13(4) In the case of a breach of the security of the system involving
14personal information defined in paragraph (2) of subdivision (h)
15for an online account, and no other personal information defined
16in paragraph (1) of subdivision (h), the person or business may
17comply with this section by providing the security breach
18notification in electronic or other form that directs the person whose
19personal information has been breached promptly to change his
20or her password and security question or answer, as applicable, or
21to take other steps appropriate to protect the online account with
22the person or business and all other online accounts for which the
23person whose personal information has been breached uses the
24same user name or email address and password or security question
25or answer.

end deletebegin delete end deletebegin delete end deletebegin delete

26(5) In the case of a breach of the security of the system involving
27personal information defined in paragraph (2) of subdivision (h)
28for login credentials of an email account furnished by the person
29or business, the person or business shall not comply with this
30section by providing the security breach notification to that email
31address, but may, instead, comply with this section by providing
32notice by another method described in subdivision (j) or by clear
33and conspicuous notice delivered to the resident online when the
34resident is connected to the online account from an Internet
35Protocol address or online location from which the person or
36business knows the resident customarily accesses the account.

end deletebegin delete end delete

37(e) A covered entity under the federal Health Insurance
38Portability and Accountability Act of 1996 (42 U.S.C. Sec. 1320d
39et seq.) will be deemed to have complied with the notice
40requirements in subdivision (d) if it has complied completely with
P33   1Section 13402(f) of the federal Health Information Technology
2for Economic and Clinical Health Act (Public Law 111-5).
3However, nothing in this subdivision shall be construed to exempt
4a covered entity from any other provision of this section.

5(f) A person or business that is required to issue a security breach
6notification pursuant to this section to more than 500 California
7residents as a result of a single breach of the security system shall
8electronically submit a single sample copy of that security breach
9notification, excluding any personally identifiable information, to
10the Attorney General. A single sample copy of a security breach
11 notification shall not be deemed to be within subdivision (f) of
12Section 6254 of the Government Code.

13(g) For purposes of this section, “breach of the security of the
14system” means unauthorized acquisition of computerized data that
15compromises the security, confidentiality, or integrity of personal
16information maintained by the person or business. Good faith
17acquisition of personal information by an employee or agent of
18the person or business for the purposes of the person or business
19is not a breach of the security of the system, provided that the
20personal information is not used or subject to further unauthorized
21disclosure.

22(h) For purposes of this section, “personal information” means
23either of the following:

24(1) An individual’s first name or first initial and last name in
25combination with any one or more of the following data elements,
26when either the name or the data elements are not encrypted:

27(A) Social security number.

28(B) Driver’s license number or California identification card
29number.

30(C) Account number, credit or debit card number, in
31combination with any required security code, access code, or
32password that would permit access to an individual’s financial
33account.

34(D) Medical information.

35(E) Health insurance information.

begin insert

36(F) Information or data collected through the use or operation
37of an automated license plate recognition system, as defined in
38Section 1798.90.5.

end insert

P34   1(2) A user name or email address, in combination with a
2password or security question and answer that would permit access
3to an online account.

4(i) (1) For purposes of this section, “personal information” does
5not include publicly available information that is lawfully made
6available to the general public from federal, state, or local
7government records.

8(2) For purposes of this section, “medical information” means
9any information regarding an individual’s medical history, mental
10or physical condition, or medical treatment or diagnosis by a health
11care professional.

12(3) For purposes of this section, “health insurance information”
13means an individual’s health insurance policy number or subscriber
14identification number, any unique identifier used by a health insurer
15to identify the individual, or any information in an individual’s
16application and claims history, including any appeals records.

17(j) For purposes of this section, “notice” may be provided by
18one of the following methods:

19(1) Written notice.

20(2) Electronic notice, if the notice provided is consistent with
21the provisions regarding electronic records and signatures set forth
22in Section 7001 of Title 15 of the United States Code.

23(3) Substitute notice, if the person or business demonstrates that
24the cost of providing notice would exceed two hundred fifty
25thousand dollars ($250,000), or that the affected class of subject
26persons to be notified exceeds 500,000, or the person or business
27does not have sufficient contact information. Substitute notice
28shall consist of all of the following:

29(A) Email notice when the person or business has an email
30address for the subject persons.

31(B) Conspicuousbegin delete postingend deletebegin insert posting, for a minimumend insertbegin insert of 30 days,end insert of
32the notice on the Internet Web site page of the person or business,
33if the person or business maintains one.begin insert For purposes of this
34subparagraph, conspicuous posting on the person’s or business’s
35Internet Web site means providing a link to the notice on the home
36page or first significant page after entering the Internet Web site
37that is in larger type than the surrounding text, or in contrasting
38type, font, or color to the surrounding text of the same size, or set
39off from the surrounding text of the same size by symbols or other
40marks that call attention to the link.end insert

P35   1(C) Notification to major statewide media.

begin insert

2(4) In the case of a breach of the security of the system involving
3personal information defined in paragraph (2) of subdivision (h)
4for an online account, and no other personal information defined
5in paragraph (1) of subdivision (h), the person or business may
6comply with this section by providing the security breach
7notification in electronic or other form that directs the person
8whose personal information has been breached promptly to change
9his or her password and security question or answer, as applicable,
10or to take other steps appropriate to protect the online account
11with the person or business and all other online accounts for which
12the person whose personal information has been breached uses
13the same user name or email address and password or security
14question or answer.

end insertbegin insert

15(5) In the case of a breach of the security of the system involving
16personal information defined in paragraph (2) of subdivision (h)
17for login credentials of an email account furnished by the person
18or business, the person or business shall not comply with this
19section by providing the security breach notification to that email
20address, but may, instead, comply with this section by providing
21notice by another method described in this subdivision or by clear
22and conspicuous notice delivered to the resident online when the
23resident is connected to the online account from an Internet
24Protocol address or online location from which the person or
25business knows the resident customarily accesses the account.

end insert

26(k) Notwithstanding subdivision (j), a person or business that
27maintains its own notification procedures as part of an information
28security policy for the treatment of personal information and is
29otherwise consistent with the timing requirements of this part, shall
30be deemed to be in compliance with the notification requirements
31of this section if the person or business notifies subject persons in
32accordance with its policies in the event of a breach of security of
33the system.

36

1798.82.  

(a) A person or business that conducts business in
37California, and that owns or licenses computerized data that
38includes personal information, shall disclose a breach of the
39security of the system following discovery or notification of the
40breach in the security of the data to a resident of California whose
P36   1unencrypted personal information was, or is reasonably believed
2to have been, acquired by an unauthorized person. The disclosure
3shall be made in the most expedient time possible and without
4unreasonable delay, consistent with the legitimate needs of law
5enforcement, as provided in subdivision (c), or any measures
6necessary to determine the scope of the breach and restore the
7reasonable integrity of the data system.

8(b) A person or business that maintains computerized data that
9includes personal information that the person or business does not
10own shall notify the owner or licensee of the information of the
11breach of the security of the data immediately following discovery,
12if the personal information was, or is reasonably believed to have
13been, acquired by an unauthorized person.

14(c) The notification required by this section may be delayed if
15a law enforcement agency determines that the notification will
16impede a criminal investigation. The notification required by this
17section shall be made promptly after the law enforcement agency
18determines that it will not compromise the investigation.

19(d) A person or business that is required to issue a security
20breach notification pursuant to this section shall meet all of the
21following requirements:

22(1) The security breach notification shall be written in plain
23language.

24(2) The security breach notification shall include, at a minimum,
25the following information:

26(A) The name and contact information of the reporting person
27or business subject to this section.

28(B) A list of the types of personal information that were or are
29reasonably believed to have been the subject of a breach.

30(C) If the information is possible to determine at the time the
31notice is provided, then any of the following: (i) the date of the
32breach, (ii) the estimated date of the breach, or (iii) the date range
33within which the breach occurred. The notification shall also
34include the date of the notice.

35(D) Whether notification was delayed as a result of a law
36enforcement investigation, if that information is possible to
37determine at the time the notice is provided.

38(E) A general description of the breach incident, if that
39information is possible to determine at the time the notice is
40provided.

P37   1(F) The toll-free telephone numbers and addresses of the major
2credit reporting agencies if the breach exposed a social security
3number or a driver’s license or California identification card
4number.

5(G) If the person or business providing the notification was the
6source of the breach, an offer to provide appropriate identity theft
7prevention and mitigation services, if any, shall be provided at no
8cost to the affected person for not less than 12 months, along with
9all information necessary to take advantage of the offer to any
10person whose information was or may have been breached if the
11breach exposed or may have exposed personal information defined
12in subparagraphs (A) and (B) of paragraph (1) of subdivision (h).

13(3) At the discretion of the person or business, the security
14breach notification may also include any of the following:

15(A) Information about what the person or business has done to
16protect individuals whose information has been breached.

17(B) Advice on steps that the person whose information has been
18breached may take to protect himself or herself.

19(4) In the case of a breach of the security of the system involving
20personal information defined in paragraph (2) of subdivision (h)
21for an online account, and no other personal information defined
22in paragraph (1) of subdivision (h), the person or business may
23comply with this section by providing the security breach
24notification in electronic or other form that directs the person whose
25personal information has been breached promptly to change his
26or her password and security question or answer, as applicable, or
27to take other steps appropriate to protect the online account with
28the person or business and all other online accounts for which the
29person whose personal information has been breached uses the
30same user name or email address and password or security question
31or answer.

32(5) In the case of a breach of the security of the system involving
33personal information defined in paragraph (2) of subdivision (h)
34for login credentials of an email account furnished by the person
35or business, the person or business shall not comply with this
36section by providing the security breach notification to that email
37address, but may, instead, comply with this section by providing
38notice by another method described in subdivision (j) or by clear
39and conspicuous notice delivered to the resident online when the
40resident is connected to the online account from an Internet
P38   1Protocol address or online location from which the person or
2business knows the resident customarily accesses the account.

3(e) A covered entity under the federal Health Insurance
4Portability and Accountability Act of 1996 (42 U.S.C. Sec. 1320d
5et seq.) will be deemed to have complied with the notice
6requirements in subdivision (d) if it has complied completely with
7Section 13402(f) of the federal Health Information Technology
8for Economic and Clinical Health Act (Public Law 111-5).
9However, nothing in this subdivision shall be construed to exempt
10a covered entity from any other provision of this section.

11(f) A person or business that is required to issue a security breach
12notification pursuant to this section to more than 500 California
13residents as a result of a single breach of the security system shall
14electronically submit a single sample copy of that security breach
15notification, excluding any personally identifiable information, to
16the Attorney General. A single sample copy of a security breach
17notification shall not be deemed to be within subdivision (f) of
18Section 6254 of the Government Code.

19(g) For purposes of this section, “breach of the security of the
20system” means unauthorized acquisition of computerized data that
21compromises the security, confidentiality, or integrity of personal
22information maintained by the person or business. Good faith
23acquisition of personal information by an employee or agent of
24the person or business for the purposes of the person or business
25is not a breach of the security of the system, provided that the
26personal information is not used or subject to further unauthorized
27disclosure.

28(h) For purposes of this section, “personal information” means
29either of the following:

30(1) An individual’s first name or first initial and last name in
31combination with any one or more of the following data elements,
32when either the name or the data elements are not encrypted:

33(A) Social security number.

34(B) Driver’s license number or California identification card
35number.

36(C) Account number, credit or debit card number, in
37combination with any required security code, access code, or
38password that would permit access to an individual’s financial
39account.

40(D) Medical information.

P39   1(E) Health insurance information.

begin insert

2(F) Information or data collected through the use or operation
3of an automated license plate recognition system, as defined in
4Section 1798.90.5.

end insert

5(2) A user name or email address, in combination with a
6password or security question and answer that would permit access
7to an online account.

8(i) (1) For purposes of this section, “personal information” does
9not include publicly available information that is lawfully made
10available to the general public from federal, state, or local
11government records.

12(2) For purposes of this section, “medical information” means
13any information regarding an individual’s medical history, mental
14or physical condition, or medical treatment or diagnosis by a health
15care professional.

16(3) For purposes of this section, “health insurance information”
17means an individual’s health insurance policy number or subscriber
18identification number, any unique identifier used by a health insurer
19to identify the individual, or any information in an individual’s
20application and claims history, including any appeals records.

begin insert

21(4) For purposes of this section, “encrypted” means rendered
22unusable, unreadable, or indecipherable to an unauthorized person
23through a security technology or methodology generally accepted
24in the field of information security.

end insert

25(j) For purposes of this section, “notice” may be provided by
26one of the following methods:

27(1) Written notice.

28(2) Electronic notice, if the notice provided is consistent with
29the provisions regarding electronic records and signatures set forth
30in Section 7001 of Title 15 of the United States Code.

31(3) Substitute notice, if the person or business demonstrates that
32the cost of providing notice would exceed two hundred fifty
33thousand dollars ($250,000), or that the affected class of subject
34persons to be notified exceeds 500,000, or the person or business
35does not have sufficient contact information. Substitute notice
36shall consist of all of the following:

37(A) Email notice when the person or business has an email
38address for the subject persons.

P40   1(B) Conspicuous posting of the notice on the Internet Web site
2page of the person or business, if the person or business maintains
3one.

4(C) Notification to major statewide media.

5(k) Notwithstanding subdivision (j), a person or business that
6maintains its own notification procedures as part of an information
7security policy for the treatment of personal information and is
8otherwise consistent with the timing requirements of this part, shall
9be deemed to be in compliance with the notification requirements
10of this section if the person or business notifies subject persons in
11accordance with its policies in the event of a breach of security of
12the system.

15

1798.82.  

(a) A person or business that conducts business in
16California, and that owns or licenses computerized data that
17includes personal information, shall disclose a breach of the
18security of the system following discovery or notification of the
19breach in the security of the data to a resident of California whose
20unencrypted personal information was, or is reasonably believed
21to have been, acquired by an unauthorized person. The disclosure
22shall be made in the most expedient time possible and without
23unreasonable delay, consistent with the legitimate needs of law
24enforcement, as provided in subdivision (c), or any measures
25necessary to determine the scope of the breach and restore the
26reasonable integrity of the data system.

27(b) A person or business that maintains computerized data that
28includes personal information that the person or business does not
29own shall notify the owner or licensee of the information of the
30breach of the security of the data immediately following discovery,
31if the personal information was, or is reasonably believed to have
32been, acquired by an unauthorized person.

33(c) The notification required by this section may be delayed if
34a law enforcement agency determines that the notification will
35impede a criminal investigation. The notification required by this
36section shall be made promptly after the law enforcement agency
37determines that it will not compromise the investigation.

38(d) A person or business that is required to issue a security
39breach notification pursuant to this section shall meet all of the
40following requirements:

P41   1(1) The security breach notification shall be written in plain
2begin delete language.end deletebegin insert language, shall be titled “Notice of Data Breach,” and
3shall present the information described in paragraph (2) under
4the following headings: “What Happened,” “What Information
5Was Involved,” “What We Are Doing,” “What You Can Do,” and
6“For More Information.” Additional information may be provided
7as a supplement to the notice.end insert

begin insert

8(A) The format of the notice shall be designed to call attention
9to the nature and significance of the information it contains.

end insertbegin insert

10(B) The title and headings in the notice shall be clearly and
11 conspicuously displayed.

end insertbegin insert

12(C) The text of the notice and any other notice provided pursuant
13to this section shall be no smaller than 10-point type.

end insertbegin insert

14(D) For a written notice described in paragraph (1) of
15subdivision (j), use of the model security breach notification form
16prescribed below or use of the headings described in this
17paragraph with the information described in paragraph (2), written
18in plain language, shall be deemed to be in compliance with this
19subdivision.

end insert
20
begin insertend insert
begin insert

28(E) For an electronic notice described in paragraph (2) of
29subdivision (j), use of the headings described in this paragraph
30with the information described in paragraph (2), written in plain
31language, shall be deemed to be in compliance with this
32subdivision.

end insert

33(2) The security breach notificationbegin insert described in paragraph (1)end insert
34 shall include, at a minimum, the following information:

35(A) The name and contact information of the reporting person
36or business subject to this section.

37(B) A list of the types of personal information that were or are
38reasonably believed to have been the subject of a breach.

P43   1(C) If the information is possible to determine at the time the
2notice is provided, then any of the following: (i) the date of the
3breach, (ii) the estimated date of the breach, or (iii) the date range
4within which the breach occurred. The notification shall also
5include the date of the notice.

6(D) Whether notification was delayed as a result of a law
7enforcement investigation, if that information is possible to
8 determine at the time the notice is provided.

9(E) A general description of the breach incident, if that
10information is possible to determine at the time the notice is
11provided.

12(F) The toll-free telephone numbers and addresses of the major
13credit reporting agencies if the breach exposed a social security
14number or a driver’s license or California identification card
15number.

16(G) If the person or business providing the notification was the
17source of the breach, an offer to provide appropriate identity theft
18prevention and mitigation services, if any, shall be provided at no
19cost to the affected person for not less than 12begin delete months,end deletebegin insert monthsend insert
20 along with all information necessary to take advantage of the offer
21to any person whose information was or may have been breached
22if the breach exposed or may have exposed personal information
23defined in subparagraphs (A) and (B) of paragraph (1) of
24subdivision (h).

25(3) At the discretion of the person or business, the security
26breach notification may also include any of the following:

27(A) Information about what the person or business has done to
28protect individuals whose information has been breached.

29(B) Advice on steps that the person whose information has been
30breached may take to protect himself or herself.

begin delete end deletebegin delete

31(4) In the case of a breach of the security of the system involving
32personal information defined in paragraph (2) of subdivision (h)
33for an online account, and no other personal information defined
34in paragraph (1) of subdivision (h), the person or business may
35comply with this section by providing the security breach
36notification in electronic or other form that directs the person whose
37personal information has been breached promptly to change his
38or her password and security question or answer, as applicable, or
39to take other steps appropriate to protect the online account with
40the person or business and all other online accounts for which the
P44   1person whose personal information has been breached uses the
2same user name or email address and password or security question
3or answer.

end deletebegin delete end deletebegin delete end deletebegin delete

4(5) In the case of a breach of the security of the system involving
5personal information defined in paragraph (2) of subdivision (h)
6for login credentials of an email account furnished by the person
7or business, the person or business shall not comply with this
8section by providing the security breach notification to that email
9address, but may, instead, comply with this section by providing
10notice by another method described in subdivision (j) or by clear
11and conspicuous notice delivered to the resident online when the
12resident is connected to the online account from an Internet
13Protocol address or online location from which the person or
14business knows the resident customarily accesses the account.

end deletebegin delete end delete

15(e) A covered entity under the federal Health Insurance
16Portability and Accountability Act of 1996 (42 U.S.C. Sec. 1320d
17et seq.) will be deemed to have complied with the notice
18requirements in subdivision (d) if it has complied completely with
19Section 13402(f) of the federal Health Information Technology
20for Economic and Clinical Health Act (Public Law 111-5).
21However, nothing in this subdivision shall be construed to exempt
22a covered entity from any other provision of this section.

23(f) A person or business that is required to issue a security breach
24notification pursuant to this section to more than 500 California
25residents as a result of a single breach of the security system shall
26electronically submit a single sample copy of that security breach
27notification, excluding any personally identifiable information, to
28the Attorney General. A single sample copy of a security breach
29 notification shall not be deemed to be within subdivision (f) of
30Section 6254 of the Government Code.

31(g) For purposes of this section, “breach of the security of the
32system” means unauthorized acquisition of computerized data that
33compromises the security, confidentiality, or integrity of personal
34information maintained by the person or business. Good faith
35acquisition of personal information by an employee or agent of
36the person or business for the purposes of the person or business
37is not a breach of the security of the system, provided that the
38personal information is not used or subject to further unauthorized
39disclosure.

P45   1(h) For purposes of this section, “personal information” means
2either of the following:

3(1) An individual’s first name or first initial and last name in
4combination with any one or more of the following data elements,
5when either the name or the data elements are not encrypted:

6(A) Social security number.

7(B) Driver’s license number or California identification card
8number.

9(C) Account number, credit or debit card number, in
10combination with any required security code, access code, or
11password that would permit access to an individual’s financial
12account.

13(D) Medical information.

14(E) Health insurance information.

begin insert

15(F) Information or data collected through the use or operation
16of an automated license plate recognition system, as defined in
17Section 1798.90.5.

end insert

18(2) A user name or email address, in combination with a
19password or security question and answer that would permit access
20to an online account.

21(i) (1) For purposes of this section, “personal information” does
22not include publicly available information that is lawfully made
23available to the general public from federal, state, or local
24government records.

25(2) For purposes of this section, “medical information” means
26any information regarding an individual’s medical history, mental
27or physical condition, or medical treatment or diagnosis by a health
28care professional.

29(3) For purposes of this section, “health insurance information”
30means an individual’s health insurance policy number or subscriber
31identification number, any unique identifier used by a health insurer
32to identify the individual, or any information in an individual’s
33application and claims history, including any appeals records.

begin insert

34(4) For purposes of this section, “encrypted” means rendered
35unusable, unreadable, or indecipherable to an unauthorized person
36through a security technology or methodology generally accepted
37in the field of information security.

end insert

38(j) For purposes of this section, “notice” may be provided by
39one of the following methods:

40(1) Written notice.

P46   1(2) Electronic notice, if the notice provided is consistent with
2the provisions regarding electronic records and signatures set forth
3in Section 7001 of Title 15 of the United States Code.

4(3) Substitute notice, if the person or business demonstrates that
5the cost of providing notice would exceed two hundred fifty
6thousand dollars ($250,000), or that the affected class of subject
7persons to be notified exceeds 500,000, or the person or business
8does not have sufficient contact information. Substitute notice
9shall consist of all of the following:

10(A) Email notice when the person or business has an email
11address for the subject persons.

12(B) Conspicuousbegin delete postingend deletebegin insert posting, for a minimumend insertbegin insert of 30 days,end insert of
13the notice on the Internet Web site page of the person or business,
14if the person or business maintains one.begin insert For purposes of this
15subparagraph, conspicuous posting on the person’s or business’s
16Internet Web site means providing a link to the notice on the home
17page or first significant page after entering the Internet Web site
18that is in larger type than the surrounding text, or in contrasting
19type, font, or color to the surrounding text of the same size, or set
20off from the surrounding text of the same size by symbols or other
21marks that call attention to the link.end insert

22(C) Notification to major statewide media.

begin insert

23(4) In the case of a breach of the security of the system involving
24personal information defined in paragraph (2) of subdivision (h)
25for an online account, and no other personal information defined
26in paragraph (1) of subdivision (h), the person or business may
27comply with this section by providing the security breach
28notification in electronic or other form that directs the person
29whose personal information has been breached promptly to change
30his or her password and security question or answer, as applicable,
31or to take other steps appropriate to protect the online account
32with the person or business and all other online accounts for which
33the person whose personal information has been breached uses
34the same user name or email address and password or security
35question or answer.

end insertbegin insert

36(5) In the case of a breach of the security of the system involving
37personal information defined in paragraph (2) of subdivision (h)
38for login credentials of an email account furnished by the person
39or business, the person or business shall not comply with this
40section by providing the security breach notification to that email
P47   1address, but may, instead, comply with this section by providing
2notice by another method described in this subdivision or by clear
3and conspicuous notice delivered to the resident online when the
4resident is connected to the online account from an Internet
5Protocol address or online location from which the person or
6business knows the resident customarily accesses the account.

end insert

7(k) Notwithstanding subdivision (j), a person or business that
8maintains its own notification procedures as part of an information
9security policy for the treatment of personal information and is
10otherwise consistent with the timing requirements of this part, shall
11be deemed to be in compliance with the notification requirements
12of this section if the person or business notifies subject persons in
13accordance with its policies in the event of a breach of security of
14the system.