Senate BillNo. 570

3

1798.29.  

(a) Any agency that owns or licenses computerized
4data that includes personal information shall disclose any breach
5of the security of the system following discovery or notification
6of the breach in the security of the data to any resident of California
7whose unencrypted personal information was, or is reasonably
8believed to have been, acquired by an unauthorized person. The
9disclosure shall be made in the most expedient time possible and
10without unreasonable delay, consistent with the legitimate needs
11of law enforcement, as provided in subdivision (c), or any measures
12necessary to determine the scope of the breach and restore the
13reasonable integrity of the data system.

14(b) Any agency that maintains computerized data that includes
15personal information that the agency does not own shall notify the
16owner or licensee of the information of any breach of the security
17of the data immediately following discovery, if the personal
18information was, or is reasonably believed to have been, acquired
19by an unauthorized person.

20(c) The notification required by this section may be delayed if
21a law enforcement agency determines that the notification will
22impede a criminal investigation. The notification required by this
23section shall be made after the law enforcement agency determines
24that it will not compromise the investigation.

25(d) Any agency that is required to issue a security breach
26notification pursuant to this section shall meet all of the following
27requirements:

28(1) The security breach notification shall be written in plain
29language, shall be titled “Notice of Data Breach,” and shall present
30the information described in paragraph (2) under the following
31headings: “What Happened,” “What Information Was Involved,”
P3    1“What We Are Doing,” “What You Can Do,” and “For More
2Information.” Additional information may be provided as a
3supplement to the notice.

4(A) The format of the notice shall be designed to call attention
5to the nature and significance of the information it contains.

6(B) The title and headings in the notice shall be clearly and
7conspicuously displayed.

8(C) The text of the notice and any other notice provided pursuant
9to this section shall be no smaller than 10-point type.

10(D) For a written notice described in paragraph (1) of
11subdivision (i), use of the model security breach notification form
12prescribed below or use of the headings described in this paragraph
13with the information described in paragraph (2), written in plain
14language, shall be deemed to be in compliance with this
15subdivision.

16

24(E) For an electronic notice described in paragraph (2) of
25subdivision (i), use of the headings described in this paragraph
26with the information described in paragraph (2), written in plain
27language, shall be deemed to be in compliance with this
28subdivision.

29(2) The security breach notification described in paragraph (1)
30shall include, at a minimum, the following information:

31(A) The name and contact information of the reporting agency
32subject to this section.

33(B) A list of the types of personal information that were or are
34reasonably believed to have been the subject of a breach.

35(C) If the information is possible to determine at the time the
36notice is provided, then any of the following: (i) the date of the
37breach, (ii) the estimated date of the breach, or (iii) the date range
38within which the breach occurred. The notification shall also
39include the date of the notice.

P5    1(D) Whether the notification was delayed as a result of a law
2enforcement investigation, if that information is possible to
3determine at the time the notice is provided.

4(E) A general description of the breach incident, if that
5information is possible to determine at the time the notice is
6provided.

7(F) The toll-free telephone numbers and addresses of the major
8credit reporting agencies, if the breach exposed a social security
9number or a driver’s license or California identification card
10number.

11(3) At the discretion of the agency, the security breach
12notification may also include any of the following:

13(A) Information about what the agency has done to protect
14individuals whose information has been breached.

15(B) Advice on steps that the person whose information has been
16breached may take to protect himself or herself.

17(e) Any agency that is required to issue a security breach
18notification pursuant to this section to more than 500 California
19residents as a result of a single breach of the security system shall
20electronically submit a single sample copy of that security breach
21notification, excluding any personally identifiable information, to
22the Attorney General. A single sample copy of a security breach
23notification shall not be deemed to be within subdivision (f) of
24Section 6254 of the Government Code.

25(f) For purposes of this section, “breach of the security of the
26system” means unauthorized acquisition of computerized data that
27compromises the security, confidentiality, or integrity of personal
28information maintained by the agency. Good faith acquisition of
29personal information by an employee or agent of the agency for
30the purposes of the agency is not a breach of the security of the
31system, provided that the personal information is not used or
32subject to further unauthorized disclosure.

33(g) For purposes of this section, “personal information” means
34either of the following:

35(1) An individual’s first name or first initial and last name in
36combination with any one or more of the following data elements,
37when either the name or the data elements are not encrypted:

38(A) Social security number.

39(B) Driver’s license number or California identification card
40number.

P6    1(C) Account number, credit or debit card number, in
2combination with any required security code, access code, or
3password that would permit access to an individual’s financial
4account.

5(D) Medical information.

6(E) Health insurance information.

7(2) A user name or email address, in combination with a
8password or security question and answer that would permit access
9to an online account.

10(h) (1) For purposes of this section, “personal information”
11does not include publicly available information that is lawfully
12made available to the general public from federal, state, or local
13government records.

14(2) For purposes of this section, “medical information” means
15any information regarding an individual’s medical history, mental
16or physical condition, or medical treatment or diagnosis by a health
17care professional.

18(3) For purposes of this section, “health insurance information”
19means an individual’s health insurance policy number or subscriber
20identification number, any unique identifier used by a health insurer
21to identify the individual, or any information in an individual’s
22application and claims history, including any appeals records.

23(i) For purposes of this section, “notice” may be provided by
24one of the following methods:

25(1) Written notice.

26(2) Electronic notice, if the notice provided is consistent with
27the provisions regarding electronic records and signatures set forth
28in Section 7001 of Title 15 of the United States Code.

29(3) Substitute notice, if the agency demonstrates that the cost
30of providing notice would exceed two hundred fifty thousand
31dollars ($250,000), or that the affected class of subject persons to
32be notified exceeds 500,000, or the agency does not have sufficient
33contact information. Substitute notice shall consist of all of the
34following:

35(A) Email notice when the agency has an email address for the
36subject persons.

37(B) Conspicuous posting, for a minimum of 30 days, of the
38notice on the agency’s Internet Web site page, if the agency
39maintains one. For purposes of this subparagraph, conspicuous
40posting on the agency’s Internet Web site means providing a link
P7    1to the notice on the home page or first significant page after
2entering the Internet Web site that is in larger type than the
3surrounding text, or in contrasting type, font, or color to the
4surrounding text of the same size, or set off from the surrounding
5text of the same size by symbols or other marks that call attention
6to the link.

7(C) Notification to major statewide media and the Office of
8Information Security within the Department of Technology.

9(4) In the case of a breach of the security of the system involving
10personal information defined in paragraph (2) of subdivision (g)
11for an online account, and no other personal information defined
12in paragraph (1) of subdivision (g), the agency may comply with
13this section by providing the security breach notification in
14electronic or other form that directs the person whose personal
15information has been breached to promptly change his or her
16password and security question or answer, as applicable, or to take
17other steps appropriate to protect the online account with the
18agency and all other online accounts for which the person uses the
19same user name or email address and password or security question
20or answer.

21(5) In the case of a breach of the security of the system involving
22personal information defined in paragraph (2) of subdivision (g)
23for login credentials of an email account furnished by the agency,
24the agency shall not comply with this section by providing the
25security breach notification to that email address, but may, instead,
26comply with this section by providing notice by another method
27described in this subdivision or by clear and conspicuous notice
28delivered to the resident online when the resident is connected to
29the online account from an Internet Protocol address or online
30location from which the agency knows the resident customarily
31accesses the account.

32(j) Notwithstanding subdivision (i), an agency that maintains
33its own notification procedures as part of an information security
34policy for the treatment of personal information and is otherwise
35consistent with the timing requirements of this part shall be deemed
36to be in compliance with the notification requirements of this
37section if it notifies subject persons in accordance with its policies
38in the event of a breach of security of the system.

39(k) Notwithstanding the exception specified in paragraph (4) of
40subdivision (b) of Section 1798.3, for purposes of this section,
P8    1“agency” includes a local agency, as defined in subdivision (a) of
2Section 6252 of the Government Code.

5

1798.29.  

(a) Any agency that owns or licenses computerized
6data that includes personal information shall disclose any breach
7of the security of the system following discovery or notification
8of the breach in the security of the data to any resident of California
9whose unencrypted personal information was, or is reasonably
10believed to have been, acquired by an unauthorized person. The
11disclosure shall be made in the most expedient time possible and
12without unreasonable delay, consistent with the legitimate needs
13of law enforcement, as provided in subdivision (c), or any measures
14necessary to determine the scope of the breach and restore the
15reasonable integrity of the data system.

16(b) Any agency that maintains computerized data that includes
17personal information that the agency does not own shall notify the
18owner or licensee of the information of any breach of the security
19of the data immediately following discovery, if the personal
20information was, or is reasonably believed to have been, acquired
21by an unauthorized person.

22(c) The notification required by this section may be delayed if
23a law enforcement agency determines that the notification will
24impede a criminal investigation. The notification required by this
25section shall be made after the law enforcement agency determines
26that it will not compromise the investigation.

27(d) Any agency that is required to issue a security breach
28notification pursuant to this section shall meet all of the following
29requirements:

30(1) The security breach notification shall be written in plain
31begin delete language.end deletebegin insert language, shall be titled “Notice of Data Breach,” and
32shall present the information described in paragraph (2) under
33the following headings: “What Happened,” “What Information
34Was Involved,” “What We Are Doing,” “What You Can Do,” and
35“For More Information.” Additional information may be provided
36as a supplement to the notice.end insert

begin insert

37(A) The format of the notice shall be designed to call attention
38to the nature and significance of the information it contains.

end insertbegin insert

39(B) The title and headings in the notice shall be clearly and
40 conspicuously displayed.

end insertbegin insert

P9    1(C) The text of the notice and any other notice provided pursuant
2to this section shall be no smaller than 10-point type.

end insertbegin insert

3(D) For a written notice described in paragraph (1) of
4subdivision (i), use of the model security breach notification form
5prescribed below or use of the headings described in this
6paragraph with the information described in paragraph (2), written
7in plain language, shall be deemed to be in compliance with this
8subdivision.

end insert
9
begin insertend insert
begin insert

17(E) For an electronic notice described in paragraph (2) of
18subdivision (i), use of the headings described in this paragraph
19with the information described in paragraph (2), written in plain
20language, shall be deemed to be in compliance with this
21subdivision.

end insert

22(2) The security breach notificationbegin insert described in paragraph (1)end insert
23 shall include, at a minimum, the following information:

24(A) The name and contact information of the reporting agency
25subject to this section.

26(B) A list of the types of personal information that were or are
27reasonably believed to have been the subject of a breach.

28(C) If the information is possible to determine at the time the
29notice is provided, then any of the following: (i) the date of the
30breach, (ii) the estimated date of the breach, or (iii) the date range
31within which the breach occurred. The notification shall also
32include the date of the notice.

33(D) Whether the notification was delayed as a result of a law
34enforcement investigation, if that information is possible to
35determine at the time the notice is provided.

36(E) A general description of the breach incident, if that
37information is possible to determine at the time the notice is
38provided.

P11   1(F) The toll-free telephone numbers and addresses of the major
2credit reporting agencies, if the breach exposed a social security
3number or a driver’s license or California identification card
4number.

5(3) At the discretion of the agency, the security breach
6notification may also include any of the following:

7(A) Information about what the agency has done to protect
8individuals whose information has been breached.

9(B) Advice on steps that the person whose information has been
10breached may take to protect himself or herself.

begin delete end deletebegin delete

11(4) In the case of a breach of the security of the system involving
12personal information defined in paragraph (2) of subdivision (g)
13for an online account, and no other personal information defined
14in paragraph (1) of subdivision (g), the agency may comply with
15this section by providing the security breach notification in
16electronic or other form that directs the person whose personal
17information has been breached to promptly change his or her
18password and security question or answer, as applicable, or to take
19other steps appropriate to protect the online account with the
20agency and all other online accounts for which the person uses the
21same user name or email address and password or security question
22or answer.

end deletebegin delete end deletebegin delete end deletebegin delete

23(5) In the case of a breach of the security of the system involving
24personal information defined in paragraph (2) of subdivision (g)
25for login credentials of an email account furnished by the agency,
26the agency shall not comply with this section by providing the
27security breach notification to that email address, but may, instead,
28comply with this section by providing notice by another method
29described in subdivision (i) or by clear and conspicuous notice
30delivered to the resident online when the resident is connected to
31the online account from an Internet Protocol address or online
32location from which the agency knows the resident customarily
33accesses the account.

end deletebegin delete end delete

34(e) Any agency that is required to issue a security breach
35notification pursuant to this section to more than 500 California
36residents as a result of a single breach of the security system shall
37electronically submit a single sample copy of that security breach
38notification, excluding any personally identifiable information, to
39the Attorney General. A single sample copy of a security breach
P12   1notification shall not be deemed to be within subdivision (f) of
2Section 6254 of the Government Code.

3(f) For purposes of this section, “breach of the security of the
4system” means unauthorized acquisition of computerized data that
5compromises the security, confidentiality, or integrity of personal
6information maintained by the agency. Good faith acquisition of
7personal information by an employee or agent of the agency for
8the purposes of the agency is not a breach of the security of the
9system, provided that the personal information is not used or
10subject to further unauthorized disclosure.

11(g) For purposes of this section, “personal information” means
12either of the following:

13(1) An individual’s first name or first initial and last name in
14combination with any one or more of the following data elements,
15when either the name or the data elements are not encrypted:

16(A) Social security number.

17(B) Driver’s license number or California identification card
18number.

19(C) Account number, credit or debit card number, in
20combination with any required security code, access code, or
21password that would permit access to an individual’s financial
22account.

23(D) Medical information.

24(E) Health insurance information.

begin insert

25(F) Information or data collected through the use or operation
26of an automated license plate recognition system, as defined in
27Section 1798.90.5.

end insert

28(2) A user name or email address, in combination with a
29password or security question and answer that would permit access
30to an online account.

31(h) (1) For purposes of this section, “personal information”
32does not include publicly available information that is lawfully
33made available to the general public from federal, state, or local
34government records.

35(2) For purposes of this section, “medical information” means
36any information regarding an individual’s medical history, mental
37or physical condition, or medical treatment or diagnosis by a health
38care professional.

39(3) For purposes of this section, “health insurance information”
40means an individual’s health insurance policy number or subscriber
P13   1identification number, any unique identifier used by a health insurer
2to identify the individual, or any information in an individual’s
3application and claims history, including any appeals records.

4(i) For purposes of this section, “notice” may be provided by
5one of the following methods:

6(1) Written notice.

7(2) Electronic notice, if the notice provided is consistent with
8the provisions regarding electronic records and signatures set forth
9in Section 7001 of Title 15 of the United States Code.

10(3) Substitute notice, if the agency demonstrates that the cost
11of providing notice would exceed two hundred fifty thousand
12dollars ($250,000), or that the affected class of subject persons to
13be notified exceeds 500,000, or the agency does not have sufficient
14contact information. Substitute notice shall consist of all of the
15following:

16(A) Email notice when the agency has an email address for the
17subject persons.

18(B) Conspicuousbegin delete postingend deletebegin insert posting, for a minimum of 30 days,end insert of
19the notice on the agency’s Internet Web site page, if the agency
20maintains one.begin insert For purposes of this subparagraph, conspicuous
21posting on the agency’s Internet Web site means providing a link
22to the notice on the home page or first significant page after
23entering the Internet Web site that is in larger type than the
24surrounding text, or in contrasting type, font, or color to the
25surrounding text of the same size, or set off from the surrounding
26text of the same size by symbols or other marks that call attention
27to the link.end insert

28(C) Notification to major statewide media and the Office of
29Information Security within the Department of Technology.

begin insert

30(4) In the case of a breach of the security of the system involving
31personal information defined in paragraph (2) of subdivision (g)
32for an online account, and no other personal information defined
33in paragraph (1) of subdivision (g), the agency may comply with
34this section by providing the security breach notification in
35electronic or other form that directs the person whose personal
36information has been breached to promptly change his or her
37password and security question or answer, as applicable, or to
38take other steps appropriate to protect the online account with the
39agency and all other online accounts for which the person uses
P14   1the same user name or email address and password or security
2question or answer.

end insertbegin insert

3(5) In the case of a breach of the security of the system involving
4personal information defined in paragraph (2) of subdivision (g)
5for login credentials of an email account furnished by the agency,
6the agency shall not comply with this section by providing the
7security breach notification to that email address, but may, instead,
8comply with this section by providing notice by another method
9described in this subdivision or by clear and conspicuous notice
10delivered to the resident online when the resident is connected to
11the online account from an Internet Protocol address or online
12location from which the agency knows the resident customarily
13accesses the account.

end insert

14(j) Notwithstanding subdivision (i), an agency that maintains
15its own notification procedures as part of an information security
16policy for the treatment of personal information and is otherwise
17consistent with the timing requirements of this part shall be deemed
18to be in compliance with the notification requirements of this
19section if it notifies subject persons in accordance with its policies
20in the event of a breach of security of the system.

21(k) Notwithstanding the exception specified in paragraph (4) of
22subdivision (b) of Section 1798.3, for purposes of this section,
23“agency” includes a local agency, as defined in subdivision (a) of
24Section 6252 of the Government Code.

27

1798.29.  

(a) Any agency that owns or licenses computerized
28data that includes personal information shall disclose any breach
29of the security of the system following discovery or notification
30of the breach in the security of the data to any resident of California
31whose unencrypted personal information was, or is reasonably
32believed to have been, acquired by an unauthorized person. The
33disclosure shall be made in the most expedient time possible and
34without unreasonable delay, consistent with the legitimate needs
35of law enforcement, as provided in subdivision (c), or any measures
36necessary to determine the scope of the breach and restore the
37reasonable integrity of the data system.

38(b) Any agency that maintains computerized data that includes
39personal information that the agency does not own shall notify the
40owner or licensee of the information of any breach of the security
P15   1of the data immediately following discovery, if the personal
2information was, or is reasonably believed to have been, acquired
3by an unauthorized person.

4(c) The notification required by this section may be delayed if
5a law enforcement agency determines that the notification will
6impede a criminal investigation. The notification required by this
7section shall be made after the law enforcement agency determines
8that it will not compromise the investigation.

9(d) Any agency that is required to issue a security breach
10notification pursuant to this section shall meet all of the following
11requirements:

12(1) The security breach notification shall be written in plain
13begin delete language.end deletebegin insert language, shall be titled “Notice of Data Breach,” and
14shall present the information described in paragraph (2) under
15the following headings: “What Happened,” “What Information
16Was Involved,” “What We Are Doing,” “What You Can Do,” and
17“For More Information.” Additional information may be provided
18as a supplement to the notice.end insert

begin insert

19(A) The format of the notice shall be designed to call attention
20to the nature and significance of the information it contains.

end insertbegin insert

21(B) The title and headings in the notice shall be clearly and
22 conspicuously displayed.

end insertbegin insert

23(C) The text of the notice and any other notice provided pursuant
24to this section shall be no smaller than 10-point type.

end insertbegin insert

25(D) For a written notice described in paragraph (1) of
26subdivision (i), use of the model security breach notification form
27prescribed below or use of the headings described in this
28paragraph with the information described in paragraph (2), written
29in plain language, shall be deemed to be in compliance with this
30subdivision.

end insert
31
begin insertend insert
begin insert

P17   1(E) For an electronic notice described in paragraph (2) of
2subdivision (i), use of the headings described in this paragraph
3with the information described in paragraph (2), written in plain
4language, shall be deemed to be in compliance with this
5subdivision.

end insert

6(2) The security breach notificationbegin insert described in paragraph (1)end insert
7 shall include, at a minimum, the following information:

8(A) The name and contact information of the reporting agency
9subject to this section.

10(B) A list of the types of personal information that were or are
11reasonably believed to have been the subject of a breach.

12(C) If the information is possible to determine at the time the
13notice is provided, then any of the following: (i) the date of the
14breach, (ii) the estimated date of the breach, or (iii) the date range
15within which the breach occurred. The notification shall also
16include the date of the notice.

17(D) Whether the notification was delayed as a result of a law
18enforcement investigation, if that information is possible to
19determine at the time the notice is provided.

20(E) A general description of the breach incident, if that
21information is possible to determine at the time the notice is
22provided.

23(F) The toll-free telephone numbers and addresses of the major
24credit reporting agencies, if the breach exposed a social security
25number or a driver’s license or California identification card
26number.

27(3) At the discretion of the agency, the security breach
28notification may also include any of the following:

29(A) Information about what the agency has done to protect
30individuals whose information has been breached.

31(B) Advice on steps that the person whose information has been
32breached may take to protect himself or herself.

begin delete end deletebegin delete

33(4) In the case of a breach of the security of the system involving
34personal information defined in paragraph (2) of subdivision (g)
35for an online account, and no other personal information defined
36in paragraph (1) of subdivision (g), the agency may comply with
37this section by providing the security breach notification in
38electronic or other form that directs the person whose personal
39information has been breached to promptly change his or her
40password and security question or answer, as applicable, or to take
P18   1other steps appropriate to protect the online account with the
2agency and all other online accounts for which the person uses the
3same user name or email address and password or security question
4or answer.

end deletebegin delete end deletebegin delete end deletebegin delete

5(5) In the case of a breach of the security of the system involving
6personal information defined in paragraph (2) of subdivision (g)
7for login credentials of an email account furnished by the agency,
8the agency shall not comply with this section by providing the
9security breach notification to that email address, but may, instead,
10comply with this section by providing notice by another method
11described in subdivision (i) or by clear and conspicuous notice
12delivered to the resident online when the resident is connected to
13the online account from an Internet Protocol address or online
14location from which the agency knows the resident customarily
15accesses the account.

end deletebegin delete end delete

16(e) Any agency that is required to issue a security breach
17notification pursuant to this section to more than 500 California
18residents as a result of a single breach of the security system shall
19electronically submit a single sample copy of that security breach
20notification, excluding any personally identifiable information, to
21the Attorney General. A single sample copy of a security breach
22notification shall not be deemed to be within subdivision (f) of
23Section 6254 of the Government Code.

24(f) For purposes of this section, “breach of the security of the
25system” means unauthorized acquisition of computerized data that
26compromises the security, confidentiality, or integrity of personal
27information maintained by the agency. Good faith acquisition of
28personal information by an employee or agent of the agency for
29the purposes of the agency is not a breach of the security of the
30system, provided that the personal information is not used or
31subject to further unauthorized disclosure.

32(g) For purposes of this section, “personal information” means
33either of the following:

34(1) An individual’s first name or first initial and last name in
35combination with any one or more of the following data elements,
36when either the name or the data elements are not encrypted:

37(A) Social security number.

38(B) Driver’s license number or California identification card
39number.

P19   1(C) Account number, credit or debit card number, in
2combination with any required security code, access code, or
3password that would permit access to an individual’s financial
4account.

5(D) Medical information.

6(E) Health insurance information.

7(2) A user name or email address, in combination with a
8password or security question and answer that would permit access
9to an online account.

10(h) (1) For purposes of this section, “personal information”
11does not include publicly available information that is lawfully
12made available to the general public from federal, state, or local
13government records.

14(2) For purposes of this section, “medical information” means
15any information regarding an individual’s medical history, mental
16or physical condition, or medical treatment or diagnosis by a health
17care professional.

18(3) For purposes of this section, “health insurance information”
19means an individual’s health insurance policy number or subscriber
20identification number, any unique identifier used by a health insurer
21to identify the individual, or any information in an individual’s
22application and claims history, including any appeals records.

begin insert

23(4) For purposes of this section, “encrypted” means rendered
24unusable, unreadable, or indecipherable to an unauthorized person
25through a security technology or methodology generally accepted
26in the field of information security.

end insert

27(i) For purposes of this section, “notice” may be provided by
28one of the following methods:

29(1) Written notice.

30(2) Electronic notice, if the notice provided is consistent with
31the provisions regarding electronic records and signatures set forth
32in Section 7001 of Title 15 of the United States Code.

33(3) Substitute notice, if the agency demonstrates that the cost
34of providing notice would exceed two hundred fifty thousand
35dollars ($250,000), or that the affected class of subject persons to
36be notified exceeds 500,000, or the agency does not have sufficient
37contact information. Substitute notice shall consist of all of the
38following:

39(A) Email notice when the agency has an email address for the
40subject persons.

P20   1(B) Conspicuousbegin delete postingend deletebegin insert posting, for a minimum of 30 days,end insert of
2the notice on the agency’s Internet Web site page, if the agency
3maintains one.begin insert For purposes of this subparagraph, conspicuous
4posting on the agency’s Internet Web site means providing a link
5to the notice on the home page or first significant page after
6entering the Internet Web site that is in larger type than the
7surrounding text, or in contrasting type, font, or color to the
8surrounding text of the same size, or set off from the surrounding
9text of the same size by symbols or other marks that call attention
10to the link.end insert

11(C) Notification to major statewide media and the Office of
12Information Security within the Department of Technology.

begin insert

13(4) In the case of a breach of the security of the system involving
14personal information defined in paragraph (2) of subdivision (g)
15for an online account, and no other personal information defined
16in paragraph (1) of subdivision (g), the agency may comply with
17this section by providing the security breach notification in
18electronic or other form that directs the person whose personal
19information has been breached to promptly change his or her
20password and security question or answer, as applicable, or to
21take other steps appropriate to protect the online account with the
22agency and all other online accounts for which the person uses
23the same user name or email address and password or security
24question or answer.

end insertbegin insert

25(5) In the case of a breach of the security of the system involving
26 personal information defined in paragraph (2) of subdivision (g)
27for login credentials of an email account furnished by the agency,
28the agency shall not comply with this section by providing the
29security breach notification to that email address, but may, instead,
30comply with this section by providing notice by another method
31described in this subdivision or by clear and conspicuous notice
32delivered to the resident online when the resident is connected to
33the online account from an Internet Protocol address or online
34location from which the agency knows the resident customarily
35accesses the account.

end insert

36(j) Notwithstanding subdivision (i), an agency that maintains
37its own notification procedures as part of an information security
38policy for the treatment of personal information and is otherwise
39consistent with the timing requirements of this part shall be deemed
40to be in compliance with the notification requirements of this
P21   1 section if it notifies subject persons in accordance with its policies
2in the event of a breach of security of the system.

3(k) Notwithstanding the exception specified in paragraph (4) of
4subdivision (b) of Section 1798.3, for purposes of this section,
5“agency” includes a local agency, as defined in subdivision (a) of
6Section 6252 of the Government Code.

9

1798.29.  

(a) Any agency that owns or licenses computerized
10data that includes personal information shall disclose any breach
11of the security of the system following discovery or notification
12of the breach in the security of the data to any resident of California
13whose unencrypted personal information was, or is reasonably
14believed to have been, acquired by an unauthorized person. The
15disclosure shall be made in the most expedient time possible and
16without unreasonable delay, consistent with the legitimate needs
17of law enforcement, as provided in subdivision (c), or any measures
18necessary to determine the scope of the breach and restore the
19reasonable integrity of the data system.

20(b) Any agency that maintains computerized data that includes
21personal information that the agency does not own shall notify the
22owner or licensee of the information of any breach of the security
23of the data immediately following discovery, if the personal
24information was, or is reasonably believed to have been, acquired
25by an unauthorized person.

26(c) The notification required by this section may be delayed if
27a law enforcement agency determines that the notification will
28impede a criminal investigation. The notification required by this
29section shall be made after the law enforcement agency determines
30that it will not compromise the investigation.

31(d) Any agency that is required to issue a security breach
32notification pursuant to this section shall meet all of the following
33requirements:

34(1) The security breach notification shall be written in plain
35begin delete language.end deletebegin insert language, shall be titled “Notice of Data Breach,” and
36shall present the information described in paragraph (2) under
37the following headings: “What Happened,” “What Information
38Was Involved,” “What We Are Doing,” “What You Can Do,” and
39“For More Information.” Additional information may be provided
40as a supplement to the notice.end insert

begin insert

P22   1(A) The format of the notice shall be designed to call attention
2to the nature and significance of the information it contains.

end insertbegin insert

3(B) The title and headings in the notice shall be clearly and
4 conspicuously displayed.

end insertbegin insert

5(C) The text of the notice and any other notice provided pursuant
6to this section shall be no smaller than 10-point type.

end insertbegin insert

7(D) For a written notice described in paragraph (1) of
8subdivision (i), use of the model security breach notification form
9prescribed below or use of the headings described in this
10paragraph with the information described in paragraph (2), written
11in plain language, shall be deemed to be in compliance with this
12subdivision.

end insert
13
begin insertend insert
begin insert

21(E) For an electronic notice described in paragraph (2) of
22subdivision (i), use of the headings described in this paragraph
23with the information described in paragraph (2), written in plain
24language, shall be deemed to be in compliance with this
25subdivision.

end insert

26(2) The security breach notificationbegin insert described in paragraph (1)end insert
27 shall include, at a minimum, the following information:

28(A) The name and contact information of the reporting agency
29subject to this section.

30(B) A list of the types of personal information that were or are
31reasonably believed to have been the subject of a breach.

32(C) If the information is possible to determine at the time the
33notice is provided, then any of the following: (i) the date of the
34breach, (ii) the estimated date of the breach, or (iii) the date range
35within which the breach occurred. The notification shall also
36include the date of the notice.

37(D) Whether the notification was delayed as a result of a law
38enforcement investigation, if that information is possible to
39determine at the time the notice is provided.

P24   1(E) A general description of the breach incident, if that
2information is possible to determine at the time the notice is
3provided.

4(F) The toll-free telephone numbers and addresses of the major
5credit reporting agencies, if the breach exposed a social security
6number or a driver’s license or California identification card
7number.

8(3) At the discretion of the agency, the security breach
9notification may also include any of the following:

10(A) Information about what the agency has done to protect
11individuals whose information has been breached.

12(B) Advice on steps that the person whose information has been
13breached may take to protect himself or herself.

begin delete end deletebegin delete

14(4) In the case of a breach of the security of the system involving
15personal information defined in paragraph (2) of subdivision (g)
16for an online account, and no other personal information defined
17in paragraph (1) of subdivision (g), the agency may comply with
18this section by providing the security breach notification in
19electronic or other form that directs the person whose personal
20information has been breached to promptly change his or her
21password and security question or answer, as applicable, or to take
22other steps appropriate to protect the online account with the
23agency and all other online accounts for which the person uses the
24same user name or email address and password or security question
25or answer.

end deletebegin delete end deletebegin delete end deletebegin delete

26(5) In the case of a breach of the security of the system involving
27personal information defined in paragraph (2) of subdivision (g)
28for login credentials of an email account furnished by the agency,
29the agency shall not comply with this section by providing the
30security breach notification to that email address, but may, instead,
31comply with this section by providing notice by another method
32described in subdivision (i) or by clear and conspicuous notice
33delivered to the resident online when the resident is connected to
34the online account from an Internet Protocol address or online
35location from which the agency knows the resident customarily
36accesses the account.

end deletebegin delete end delete

37(e) Any agency that is required to issue a security breach
38notification pursuant to this section to more than 500 California
39residents as a result of a single breach of the security system shall
40electronically submit a single sample copy of that security breach
P25   1notification, excluding any personally identifiable information, to
2the Attorney General. A single sample copy of a security breach
3notification shall not be deemed to be within subdivision (f) of
4Section 6254 of the Government Code.

5(f) For purposes of this section, “breach of the security of the
6system” means unauthorized acquisition of computerized data that
7compromises the security, confidentiality, or integrity of personal
8information maintained by the agency. Good faith acquisition of
9personal information by an employee or agent of the agency for
10the purposes of the agency is not a breach of the security of the
11system, provided that the personal information is not used or
12subject to further unauthorized disclosure.

13(g) For purposes of this section, “personal information” means
14either of the following:

15(1) An individual’s first name or first initial and last name in
16combination with any one or more of the following data elements,
17when either the name or the data elements are not encrypted:

18(A) Social security number.

19(B) Driver’s license number or California identification card
20number.

21(C) Account number, credit or debit card number, in
22combination with any required security code, access code, or
23password that would permit access to an individual’s financial
24account.

25(D) Medical information.

26(E) Health insurance information.

begin insert

27(F) Information or data collected through the use or operation
28of an automated license plate recognition system, as defined in
29Section 1798.90.5.

end insert

30(2) A user name or email address, in combination with a
31password or security question and answer that would permit access
32to an online account.

33(h) (1) For purposes of this section, “personal information”
34does not include publicly available information that is lawfully
35made available to the general public from federal, state, or local
36government records.

37(2) For purposes of this section, “medical information” means
38any information regarding an individual’s medical history, mental
39or physical condition, or medical treatment or diagnosis by a health
40care professional.

P26   1(3) For purposes of this section, “health insurance information”
2means an individual’s health insurance policy number or subscriber
3identification number, any unique identifier used by a health insurer
4to identify the individual, or any information in an individual’s
5application and claims history, including any appeals records.

begin insert

6(4) For purposes of this section, “encrypted” means rendered
7unusable, unreadable, or indecipherable to an unauthorized person
8through a security technology or methodology generally accepted
9in the field of information security.

end insert

10(i) For purposes of this section, “notice” may be provided by
11one of the following methods:

12(1) Written notice.

13(2) Electronic notice, if the notice provided is consistent with
14the provisions regarding electronic records and signatures set forth
15in Section 7001 of Title 15 of the United States Code.

16(3) Substitute notice, if the agency demonstrates that the cost
17of providing notice would exceed two hundred fifty thousand
18dollars ($250,000), or that the affected class of subject persons to
19be notified exceeds 500,000, or the agency does not have sufficient
20contact information. Substitute notice shall consist of all of the
21following:

22(A) Email notice when the agency has an email address for the
23subject persons.

24(B) Conspicuousbegin delete postingend deletebegin insert posting, for a minimum of 30 days,end insert of
25the notice on the agency’s Internet Web site page, if the agency
26maintains one.begin insert For purposes of this subparagraph, conspicuous
27posting on the agency’s Internet Web site means providing a link
28to the notice on the home page or first significant page after
29entering the Internet Web site that is in larger type than the
30surrounding text, or in contrasting type, font, or color to the
31surrounding text of the same size, or set off from the surrounding
32text of the same size by symbols or other marks that call attention
33to the link.end insert

34(C) Notification to major statewide media and the Office of
35Information Security within the Department of Technology.

begin insert

36(4) In the case of a breach of the security of the system involving
37personal information defined in paragraph (2) of subdivision (g)
38for an online account, and no other personal information defined
39in paragraph (1) of subdivision (g), the agency may comply with
40this section by providing the security breach notification in
P27   1electronic or other form that directs the person whose personal
2information has been breached to promptly change his or her
3password and security question or answer, as applicable, or to
4take other steps appropriate to protect the online account with the
5agency and all other online accounts for which the person uses
6the same user name or email address and password or security
7question or answer.

end insertbegin insert

8(5) In the case of a breach of the security of the system involving
9personal information defined in paragraph (2) of subdivision (g)
10for login credentials of an email account furnished by the agency,
11the agency shall not comply with this section by providing the
12security breach notification to that email address, but may, instead,
13comply with this section by providing notice by another method
14described in this subdivision or by clear and conspicuous notice
15delivered to the resident online when the resident is connected to
16the online account from an Internet Protocol address or online
17location from which the agency knows the resident customarily
18accesses the account.

end insert

19(j) Notwithstanding subdivision (i), an agency that maintains
20its own notification procedures as part of an information security
21policy for the treatment of personal information and is otherwise
22consistent with the timing requirements of this part shall be deemed
23to be in compliance with the notification requirements of this
24section if it notifies subject persons in accordance with its policies
25in the event of a breach of security of the system.

26(k) Notwithstanding the exception specified in paragraph (4) of
27subdivision (b) of Section 1798.3, for purposes of this section,
28“agency” includes a local agency, as defined in subdivision (a) of
29Section 6252 of the Government Code.

31

1798.82.  

(a) A person or business that conducts business in
32California, and that owns or licenses computerized data that
33includes personal information, shall disclose a breach of the
34security of the system following discovery or notification of the
35breach in the security of the data to a resident of California whose
36unencrypted personal information was, or is reasonably believed
37to have been, acquired by an unauthorized person. The disclosure
38shall be made in the most expedient time possible and without
39unreasonable delay, consistent with the legitimate needs of law
40enforcement, as provided in subdivision (c), or any measures
P28   1necessary to determine the scope of the breach and restore the
2reasonable integrity of the data system.

3(b) A person or business that maintains computerized data that
4includes personal information that the person or business does not
5own shall notify the owner or licensee of the information of the
6breach of the security of the data immediately following discovery,
7if the personal information was, or is reasonably believed to have
8been, acquired by an unauthorized person.

9(c) The notification required by this section may be delayed if
10a law enforcement agency determines that the notification will
11impede a criminal investigation. The notification required by this
12section shall be made promptly after the law enforcement agency
13determines that it will not compromise the investigation.

14(d) A person or business that is required to issue a security
15breach notification pursuant to this section shall meet all of the
16following requirements:

17(1) The security breach notification shall be written in plain
18language, shall be titled “Notice of Data Breach,” and shall present
19the information described in paragraph (2) under the following
20headings: “What Happened,” “What Information Was Involved,”
21“What We Are Doing,” “What You Can Do,” and “For More
22Information.” Additional information may be provided as a
23supplement to the notice.

24(A) The format of the notice shall be designed to call attention
25to the nature and significance of the information it contains.

26(B) The title and headings in the notice shall be clearly and
27conspicuously displayed.

28(C) The text of the notice and any other notice provided pursuant
29to this section shall be no smaller than 10-point type.

30(D) For a written notice described in paragraph (1) of
31 subdivision (j), use of the model security breach notification form
32prescribed below or use of the headings described in this paragraph
33with the information described in paragraph (2), written in plain
34language, shall be deemed to be in compliance with this
35subdivision.

36

6(E) For an electronic notice described in paragraph (2) of
7subdivision (j), use of the headings described in this paragraph
8with the information described in paragraph (2), written in plain
9language, shall be deemed to be in compliance with this
10subdivision.

11(2) The security breach notification described in paragraph (1)
12shall include, at a minimum, the following information:

13(A) The name and contact information of the reporting person
14or business subject to this section.

15(B) A list of the types of personal information that were or are
16reasonably believed to have been the subject of a breach.

17(C) If the information is possible to determine at the time the
18notice is provided, then any of the following: (i) the date of the
19breach, (ii) the estimated date of the breach, or (iii) the date range
20within which the breach occurred. The notification shall also
21include the date of the notice.

22(D) Whether notification was delayed as a result of a law
23enforcement investigation, if that information is possible to
24determine at the time the notice is provided.

25(E) A general description of the breach incident, if that
26information is possible to determine at the time the notice is
27provided.

28(F) The toll-free telephone numbers and addresses of the major
29credit reporting agencies if the breach exposed a social security
30number or a driver’s license or California identification card
31number.

32(G) If the person or business providing the notification was the
33 source of the breach, an offer to provide appropriate identity theft
34prevention and mitigation services, if any, shall be provided at no
35cost to the affected person for not less than 12 months along with
36all information necessary to take advantage of the offer to any
37person whose information was or may have been breached if the
38breach exposed or may have exposed personal information defined
39in subparagraphs (A) and (B) of paragraph (1) of subdivision (h).

P31   1(3) At the discretion of the person or business, the security
2breach notification may also include any of the following:

3(A) Information about what the person or business has done to
4protect individuals whose information has been breached.

5(B) Advice on steps that the person whose information has been
6breached may take to protect himself or herself.

7(e) A covered entity under the federal Health Insurance
8Portability and Accountability Act of 1996 (42 U.S.C. Sec. 1320d
9et seq.) will be deemed to have complied with the notice
10requirements in subdivision (d) if it has complied completely with
11Section 13402(f) of the federal Health Information Technology
12for Economic and Clinical Health Act (Public Law 111-5).
13However, nothing in this subdivision shall be construed to exempt
14a covered entity from any other provision of this section.

15(f) A person or business that is required to issue a security breach
16notification pursuant to this section to more than 500 California
17residents as a result of a single breach of the security system shall
18electronically submit a single sample copy of that security breach
19notification, excluding any personally identifiable information, to
20the Attorney General. A single sample copy of a security breach
21 notification shall not be deemed to be within subdivision (f) of
22Section 6254 of the Government Code.

23(g) For purposes of this section, “breach of the security of the
24system” means unauthorized acquisition of computerized data that
25compromises the security, confidentiality, or integrity of personal
26information maintained by the person or business. Good faith
27acquisition of personal information by an employee or agent of
28the person or business for the purposes of the person or business
29is not a breach of the security of the system, provided that the
30personal information is not used or subject to further unauthorized
31disclosure.

32(h) For purposes of this section, “personal information” means
33either of the following:

34(1) An individual’s first name or first initial and last name in
35combination with any one or more of the following data elements,
36when either the name or the data elements are not encrypted:

37(A) Social security number.

38(B) Driver’s license number or California identification card
39number.

P32   1(C) Account number, credit or debit card number, in
2combination with any required security code, access code, or
3password that would permit access to an individual’s financial
4account.

5(D) Medical information.

6(E) Health insurance information.

7(2) A user name or email address, in combination with a
8password or security question and answer that would permit access
9to an online account.

10(i) (1) For purposes of this section, “personal information” does
11not include publicly available information that is lawfully made
12available to the general public from federal, state, or local
13government records.

14(2) For purposes of this section, “medical information” means
15any information regarding an individual’s medical history, mental
16or physical condition, or medical treatment or diagnosis by a health
17care professional.

18(3) For purposes of this section, “health insurance information”
19means an individual’s health insurance policy number or subscriber
20identification number, any unique identifier used by a health insurer
21to identify the individual, or any information in an individual’s
22application and claims history, including any appeals records.

23(j) For purposes of this section, “notice” may be provided by
24one of the following methods:

25(1) Written notice.

26(2) Electronic notice, if the notice provided is consistent with
27the provisions regarding electronic records and signatures set forth
28in Section 7001 of Title 15 of the United States Code.

29(3) Substitute notice, if the person or business demonstrates that
30the cost of providing notice would exceed two hundred fifty
31thousand dollars ($250,000), or that the affected class of subject
32persons to be notified exceeds 500,000, or the person or business
33does not have sufficient contact information. Substitute notice
34shall consist of all of the following:

35(A) Email notice when the person or business has an email
36address for the subject persons.

37(B) Conspicuous posting, for a minimum of 30 days, of the
38notice on the Internet Web site page of the person or business, if
39the person or business maintains one. For purposes of this
40subparagraph, conspicuous posting on the person’s or business’
P33   1Internet Web site means providing a link to the notice on the home
2page or first significant page after entering the Internet Web site
3that is in larger type than the surrounding text, or in contrasting
4type, font, or color to the surrounding text of the same size, or set
5off from the surrounding text of the same size by symbols or other
6marks that call attention to the link.

7(C) Notification to major statewide media.

8(4) In the case of a breach of the security of the system involving
9personal information defined in paragraph (2) of subdivision (h)
10for an online account, and no other personal information defined
11in paragraph (1) of subdivision (h), the person or business may
12comply with this section by providing the security breach
13notification in electronic or other form that directs the person whose
14personal information has been breached promptly to change his
15or her password and security question or answer, as applicable, or
16to take other steps appropriate to protect the online account with
17the person or business and all other online accounts for which the
18person whose personal information has been breached uses the
19same user name or email address and password or security question
20or answer.

21(5) In the case of a breach of the security of the system involving
22personal information defined in paragraph (2) of subdivision (h)
23for login credentials of an email account furnished by the person
24or business, the person or business shall not comply with this
25section by providing the security breach notification to that email
26 address, but may, instead, comply with this section by providing
27notice by another method described in this subdivision or by clear
28and conspicuous notice delivered to the resident online when the
29resident is connected to the online account from an Internet
30Protocol address or online location from which the person or
31business knows the resident customarily accesses the account.

32(k) Notwithstanding subdivision (j), a person or business that
33maintains its own notification procedures as part of an information
34security policy for the treatment of personal information and is
35otherwise consistent with the timing requirements of this part, shall
36be deemed to be in compliance with the notification requirements
37of this section if the person or business notifies subject persons in
38accordance with its policies in the event of a breach of security of
39the system.

3

1798.82.  

(a) A person or business that conducts business in
4California, and that owns or licenses computerized data that
5includes personal information, shall disclose a breach of the
6security of the system following discovery or notification of the
7breach in the security of the data to a resident of California whose
8unencrypted personal information was, or is reasonably believed
9to have been, acquired by an unauthorized person. The disclosure
10shall be made in the most expedient time possible and without
11unreasonable delay, consistent with the legitimate needs of law
12enforcement, as provided in subdivision (c), or any measures
13necessary to determine the scope of the breach and restore the
14reasonable integrity of the data system.

15(b) A person or business that maintains computerized data that
16includes personal information that the person or business does not
17own shall notify the owner or licensee of the information of the
18breach of the security of the data immediately following discovery,
19if the personal information was, or is reasonably believed to have
20been, acquired by an unauthorized person.

21(c) The notification required by this section may be delayed if
22a law enforcement agency determines that the notification will
23impede a criminal investigation. The notification required by this
24section shall be made promptly after the law enforcement agency
25determines that it will not compromise the investigation.

26(d) A person or business that is required to issue a security
27breach notification pursuant to this section shall meet all of the
28following requirements:

29(1) The security breach notification shall be written in plain
30begin delete language.end deletebegin insert language, shall be titled “Notice of Data Breach,” and
31shall present the information described in paragraph (2) under
32the following headings: “What Happened,” “What Information
33Was Involved,” “What We Are Doing,” “What You Can Do,” and
34“For More Information.” Additional information may be provided
35as a supplement to the notice.end insert

begin insert

36(A) The format of the notice shall be designed to call attention
37to the nature and significance of the information it contains.

end insertbegin insert

38(B) The title and headings in the notice shall be clearly and
39 conspicuously displayed.

end insertbegin insert

P35   1(C) The text of the notice and any other notice provided pursuant
2to this section shall be no smaller than 10-point type.

end insertbegin insert

3(D) For a written notice described in paragraph (1) of
4subdivision (j), use of the model security breach notification form
5prescribed below or use of the headings described in this
6paragraph with the information described in paragraph (2), written
7in plain language, shall be deemed to be in compliance with this
8subdivision.

end insert
9
begin insertend insert
begin insert

17(E) For an electronic notice described in paragraph (2) of
18subdivision (j), use of the headings described in this paragraph
19with the information described in paragraph (2), written in plain
20language, shall be deemed to be in compliance with this
21subdivision.

end insert

22(2) The security breach notificationbegin insert described in paragraph (1)end insert
23 shall include, at a minimum, the following information:

24(A) The name and contact information of the reporting person
25or business subject to this section.

26(B) A list of the types of personal information that were or are
27reasonably believed to have been the subject of a breach.

28(C) If the information is possible to determine at the time the
29notice is provided, then any of the following: (i) the date of the
30breach, (ii) the estimated date of the breach, or (iii) the date range
31within which the breach occurred. The notification shall also
32include the date of the notice.

33(D) Whether notification was delayed as a result of a law
34enforcement investigation, if that information is possible to
35 determine at the time the notice is provided.

36(E) A general description of the breach incident, if that
37information is possible to determine at the time the notice is
38provided.

P37   1(F) The toll-free telephone numbers and addresses of the major
2credit reporting agencies if the breach exposed a social security
3number or a driver’s license or California identification card
4number.

5(G) If the person or business providing the notification was the
6source of the breach, an offer to provide appropriate identity theft
7prevention and mitigation services, if any, shall be provided at no
8cost to the affected person for not less than 12begin delete months,end deletebegin insert monthsend insert
9 along with all information necessary to take advantage of the offer
10to any person whose information was or may have been breached
11if the breach exposed or may have exposed personal information
12defined in subparagraphs (A) and (B) of paragraph (1) of
13subdivision (h).

14(3) At the discretion of the person or business, the security
15breach notification may also include any of the following:

16(A) Information about what the person or business has done to
17protect individuals whose information has been breached.

18(B) Advice on steps that the person whose information has been
19breached may take to protect himself or herself.

begin delete end deletebegin delete

20(4) In the case of a breach of the security of the system involving
21personal information defined in paragraph (2) of subdivision (h)
22for an online account, and no other personal information defined
23in paragraph (1) of subdivision (h), the person or business may
24comply with this section by providing the security breach
25notification in electronic or other form that directs the person whose
26personal information has been breached promptly to change his
27or her password and security question or answer, as applicable, or
28to take other steps appropriate to protect the online account with
29the person or business and all other online accounts for which the
30person whose personal information has been breached uses the
31same user name or email address and password or security question
32or answer.

end deletebegin delete end deletebegin delete end deletebegin delete

33(5) In the case of a breach of the security of the system involving
34personal information defined in paragraph (2) of subdivision (h)
35for login credentials of an email account furnished by the person
36or business, the person or business shall not comply with this
37section by providing the security breach notification to that email
38address, but may, instead, comply with this section by providing
39notice by another method described in subdivision (j) or by clear
40and conspicuous notice delivered to the resident online when the
P38   1resident is connected to the online account from an Internet
2Protocol address or online location from which the person or
3business knows the resident customarily accesses the account.

end deletebegin delete end delete

4(e) A covered entity under the federal Health Insurance
5Portability and Accountability Act of 1996 (42 U.S.C. Sec. 1320d
6et seq.) will be deemed to have complied with the notice
7requirements in subdivision (d) if it has complied completely with
8Section 13402(f) of the federal Health Information Technology
9for Economic and Clinical Health Act (Public Law 111-5).
10However, nothing in this subdivision shall be construed to exempt
11a covered entity from any other provision of this section.

12(f) A person or business that is required to issue a security breach
13notification pursuant to this section to more than 500 California
14residents as a result of a single breach of the security system shall
15electronically submit a single sample copy of that security breach
16notification, excluding any personally identifiable information, to
17the Attorney General. A single sample copy of a security breach
18 notification shall not be deemed to be within subdivision (f) of
19Section 6254 of the Government Code.

20(g) For purposes of this section, “breach of the security of the
21system” means unauthorized acquisition of computerized data that
22compromises the security, confidentiality, or integrity of personal
23information maintained by the person or business. Good faith
24acquisition of personal information by an employee or agent of
25the person or business for the purposes of the person or business
26is not a breach of the security of the system, provided that the
27personal information is not used or subject to further unauthorized
28disclosure.

29(h) For purposes of this section, “personal information” means
30either of the following:

31(1) An individual’s first name or first initial and last name in
32combination with any one or more of the following data elements,
33when either the name or the data elements are not encrypted:

34(A) Social security number.

35(B) Driver’s license number or California identification card
36number.

37(C) Account number, credit or debit card number, in
38combination with any required security code, access code, or
39password that would permit access to an individual’s financial
40account.

P39   1(D) Medical information.

2(E) Health insurance information.

begin insert

3(F) Information or data collected through the use or operation
4of an automated license plate recognition system, as defined in
5Section 1798.90.5.

end insert

6(2) A user name or email address, in combination with a
7password or security question and answer that would permit access
8to an online account.

9(i) (1) For purposes of this section, “personal information” does
10not include publicly available information that is lawfully made
11available to the general public from federal, state, or local
12government records.

13(2) For purposes of this section, “medical information” means
14any information regarding an individual’s medical history, mental
15or physical condition, or medical treatment or diagnosis by a health
16care professional.

17(3) For purposes of this section, “health insurance information”
18means an individual’s health insurance policy number or subscriber
19identification number, any unique identifier used by a health insurer
20to identify the individual, or any information in an individual’s
21application and claims history, including any appeals records.

22(j) For purposes of this section, “notice” may be provided by
23one of the following methods:

24(1) Written notice.

25(2) Electronic notice, if the notice provided is consistent with
26the provisions regarding electronic records and signatures set forth
27in Section 7001 of Title 15 of the United States Code.

28(3) Substitute notice, if the person or business demonstrates that
29the cost of providing notice would exceed two hundred fifty
30thousand dollars ($250,000), or that the affected class of subject
31persons to be notified exceeds 500,000, or the person or business
32does not have sufficient contact information. Substitute notice
33shall consist of all of the following:

34(A) Email notice when the person or business has an email
35address for the subject persons.

36(B) Conspicuousbegin delete postingend deletebegin insert posting, for a minimum of 30 days,end insert of
37the notice on the Internet Web site page of the person or business,
38if the person or business maintains one.begin insert For purposes of this
39subparagraph, conspicuous posting on the person’s or business’s
40Internet Web site means providing a link to the notice on the home
P40   1page or first significant page after entering the Internet Web site
2that is in larger type than the surrounding text, or in contrasting
3type, font, or color to the surrounding text of the same size, or set
4off from the surrounding text of the same size by symbols or other
5marks that call attention to the link.end insert

6(C) Notification to major statewide media.

begin insert

7(4) In the case of a breach of the security of the system involving
8personal information defined in paragraph (2) of subdivision (h)
9for an online account, and no other personal information defined
10in paragraph (1) of subdivision (h), the person or business may
11comply with this section by providing the security breach
12notification in electronic or other form that directs the person
13whose personal information has been breached promptly to change
14his or her password and security question or answer, as applicable,
15or to take other steps appropriate to protect the online account
16with the person or business and all other online accounts for which
17the person whose personal information has been breached uses
18the same user name or email address and password or security
19question or answer.

end insertbegin insert

20(5) In the case of a breach of the security of the system involving
21personal information defined in paragraph (2) of subdivision (h)
22for login credentials of an email account furnished by the person
23or business, the person or business shall not comply with this
24section by providing the security breach notification to that email
25address, but may, instead, comply with this section by providing
26notice by another method described in this subdivision or by clear
27and conspicuous notice delivered to the resident online when the
28resident is connected to the online account from an Internet
29Protocol address or online location from which the person or
30business knows the resident customarily accesses the account.

end insert

31(k) Notwithstanding subdivision (j), a person or business that
32maintains its own notification procedures as part of an information
33security policy for the treatment of personal information and is
34otherwise consistent with the timing requirements of this part, shall
35be deemed to be in compliance with the notification requirements
36of this section if the person or business notifies subject persons in
37accordance with its policies in the event of a breach of security of
38the system.

P41   1

1798.82.  

(a) A person or business that conducts business in
2California, and that owns or licenses computerized data that
3includes personal information, shall disclose a breach of the
4security of the system following discovery or notification of the
5breach in the security of the data to a resident of California whose
6unencrypted personal information was, or is reasonably believed
7to have been, acquired by an unauthorized person. The disclosure
8shall be made in the most expedient time possible and without
9unreasonable delay, consistent with the legitimate needs of law
10enforcement, as provided in subdivision (c), or any measures
11necessary to determine the scope of the breach and restore the
12reasonable integrity of the data system.

13(b) A person or business that maintains computerized data that
14includes personal information that the person or business does not
15own shall notify the owner or licensee of the information of the
16breach of the security of the data immediately following discovery,
17if the personal information was, or is reasonably believed to have
18been, acquired by an unauthorized person.

19(c) The notification required by this section may be delayed if
20a law enforcement agency determines that the notification will
21impede a criminal investigation. The notification required by this
22section shall be made promptly after the law enforcement agency
23determines that it will not compromise the investigation.

24(d) A person or business that is required to issue a security
25breach notification pursuant to this section shall meet all of the
26following requirements:

27(1) The security breach notification shall be written in plain
28begin delete language.end deletebegin insert language, shall be titled “Notice of Data Breach,” and
29shall present the information described in paragraph (2) under
30the following headings: “What Happened,” “What Information
31Was Involved,” “What We Are Doing,” “What You Can Do,” and
32“For More Information.” Additional information may be provided
33as a supplement to the notice.end insert

begin insert

34(A) The format of the notice shall be designed to call attention
35to the nature and significance of the information it contains.

end insertbegin insert

36(B) The title and headings in the notice shall be clearly and
37 conspicuously displayed.

end insertbegin insert

38(C) The text of the notice and any other notice provided pursuant
39to this section shall be no smaller than 10-point type.

end insertbegin insert

P42   1(D) For a written notice described in paragraph (1) of
2subdivision (j), use of the model security breach notification form
3prescribed below or use of the headings described in this
4paragraph with the information described in paragraph (2), written
5in plain language, shall be deemed to be in compliance with this
6subdivision.

end insert
7
begin insertend insert
begin insert

15(E) For an electronic notice described in paragraph (2) of
16subdivision (j), use of the headings described in this paragraph
17with the information described in paragraph (2), written in plain
18language, shall be deemed to be in compliance with this
19subdivision.

end insert

20(2) The security breach notificationbegin insert described in paragraph (1)end insert
21 shall include, at a minimum, the following information:

22(A) The name and contact information of the reporting person
23or business subject to this section.

24(B) A list of the types of personal information that were or are
25reasonably believed to have been the subject of a breach.

26(C) If the information is possible to determine at the time the
27notice is provided, then any of the following: (i) the date of the
28breach, (ii) the estimated date of the breach, or (iii) the date range
29within which the breach occurred. The notification shall also
30include the date of the notice.

31(D) Whether notification was delayed as a result of a law
32enforcement investigation, if that information is possible to
33 determine at the time the notice is provided.

34(E) A general description of the breach incident, if that
35information is possible to determine at the time the notice is
36provided.

37(F) The toll-free telephone numbers and addresses of the major
38credit reporting agencies if the breach exposed a social security
P44   1number or a driver’s license or California identification card
2number.

3(G) If the person or business providing the notification was the
4source of the breach, an offer to provide appropriate identity theft
5prevention and mitigation services, if any, shall be provided at no
6cost to the affected person for not less than 12begin delete months,end deletebegin insert monthsend insert
7 along with all information necessary to take advantage of the offer
8to any person whose information was or may have been breached
9if the breach exposed or may have exposed personal information
10defined in subparagraphs (A) and (B) of paragraph (1) of
11subdivision (h).

12(3) At the discretion of the person or business, the security
13breach notification may also include any of the following:

14(A) Information about what the person or business has done to
15protect individuals whose information has been breached.

16(B) Advice on steps that the person whose information has been
17breached may take to protect himself or herself.

begin delete end deletebegin delete

18(4) In the case of a breach of the security of the system involving
19personal information defined in paragraph (2) of subdivision (h)
20for an online account, and no other personal information defined
21in paragraph (1) of subdivision (h), the person or business may
22comply with this section by providing the security breach
23notification in electronic or other form that directs the person whose
24personal information has been breached promptly to change his
25or her password and security question or answer, as applicable, or
26to take other steps appropriate to protect the online account with
27the person or business and all other online accounts for which the
28person whose personal information has been breached uses the
29same user name or email address and password or security question
30or answer.

end deletebegin delete end deletebegin delete end deletebegin delete

31(5) In the case of a breach of the security of the system involving
32personal information defined in paragraph (2) of subdivision (h)
33for login credentials of an email account furnished by the person
34or business, the person or business shall not comply with this
35section by providing the security breach notification to that email
36address, but may, instead, comply with this section by providing
37notice by another method described in subdivision (j) or by clear
38and conspicuous notice delivered to the resident online when the
39resident is connected to the online account from an Internet
P45   1Protocol address or online location from which the person or
2business knows the resident customarily accesses the account.

end deletebegin delete end delete

3(e) A covered entity under the federal Health Insurance
4Portability and Accountability Act of 1996 (42 U.S.C. Sec. 1320d
5et seq.) will be deemed to have complied with the notice
6requirements in subdivision (d) if it has complied completely with
7Section 13402(f) of the federal Health Information Technology
8for Economic and Clinical Health Act (Public Law 111-5).
9However, nothing in this subdivision shall be construed to exempt
10a covered entity from any other provision of this section.

11(f) A person or business that is required to issue a security breach
12notification pursuant to this section to more than 500 California
13residents as a result of a single breach of the security system shall
14electronically submit a single sample copy of that security breach
15notification, excluding any personally identifiable information, to
16the Attorney General. A single sample copy of a security breach
17 notification shall not be deemed to be within subdivision (f) of
18Section 6254 of the Government Code.

19(g) For purposes of this section, “breach of the security of the
20system” means unauthorized acquisition of computerized data that
21compromises the security, confidentiality, or integrity of personal
22information maintained by the person or business. Good faith
23acquisition of personal information by an employee or agent of
24the person or business for the purposes of the person or business
25is not a breach of the security of the system, provided that the
26personal information is not used or subject to further unauthorized
27disclosure.

28(h) For purposes of this section, “personal information” means
29either of the following:

30(1) An individual’s first name or first initial and last name in
31combination with any one or more of the following data elements,
32when either the name or the data elements are not encrypted:

33(A) Social security number.

34(B) Driver’s license number or California identification card
35number.

36(C) Account number, credit or debit card number, in
37combination with any required security code, access code, or
38password that would permit access to an individual’s financial
39account.

40(D) Medical information.

P46   1(E) Health insurance information.

2(2) A user name or email address, in combination with a
3password or security question and answer that would permit access
4to an online account.

5(i) (1) For purposes of this section, “personal information” does
6not include publicly available information that is lawfully made
7available to the general public from federal, state, or local
8government records.

9(2) For purposes of this section, “medical information” means
10any information regarding an individual’s medical history, mental
11or physical condition, or medical treatment or diagnosis by a health
12care professional.

13(3) For purposes of this section, “health insurance information”
14means an individual’s health insurance policy number or subscriber
15identification number, any unique identifier used by a health insurer
16to identify the individual, or any information in an individual’s
17application and claims history, including any appeals records.

begin insert

18(4) For purposes of this section, “encrypted” means rendered
19unusable, unreadable, or indecipherable to an unauthorized person
20through a security technology or methodology generally accepted
21in the field of information security.

end insert

22(j) For purposes of this section, “notice” may be provided by
23one of the following methods:

24(1) Written notice.

25(2) Electronic notice, if the notice provided is consistent with
26the provisions regarding electronic records and signatures set forth
27in Section 7001 of Title 15 of the United States Code.

28(3) Substitute notice, if the person or business demonstrates that
29the cost of providing notice would exceed two hundred fifty
30thousand dollars ($250,000), or that the affected class of subject
31persons to be notified exceeds 500,000, or the person or business
32does not have sufficient contact information. Substitute notice
33shall consist of all of the following:

34(A) Email notice when the person or business has an email
35address for the subject persons.

36(B) Conspicuousbegin delete postingend deletebegin insert posting, for a minimum of 30 days,end insert of
37the notice on the Internet Web site page of the person or business,
38if the person or business maintains one.begin insert For purposes of this
39subparagraph, conspicuous posting on the person’s or business’s
40Internet Web site means providing a link to the notice on the home
P47   1page or first significant page after entering the Internet Web site
2that is in larger type than the surrounding text, or in contrasting
3type, font, or color to the surrounding text of the same size, or set
4off from the surrounding text of the same size by symbols or other
5marks that call attention to the link.end insert

6(C) Notification to major statewide media.

begin insert

7(4) In the case of a breach of the security of the system involving
8personal information defined in paragraph (2) of subdivision (h)
9for an online account, and no other personal information defined
10in paragraph (1) of subdivision (h), the person or business may
11comply with this section by providing the security breach
12notification in electronic or other form that directs the person
13whose personal information has been breached promptly to change
14his or her password and security question or answer, as applicable,
15or to take other steps appropriate to protect the online account
16with the person or business and all other online accounts for which
17the person whose personal information has been breached uses
18the same user name or email address and password or security
19question or answer.

end insertbegin insert

20(5) In the case of a breach of the security of the system involving
21personal information defined in paragraph (2) of subdivision (h)
22for login credentials of an email account furnished by the person
23or business, the person or business shall not comply with this
24section by providing the security breach notification to that email
25address, but may, instead, comply with this section by providing
26notice by another method described in this subdivision or by clear
27and conspicuous notice delivered to the resident online when the
28resident is connected to the online account from an Internet
29Protocol address or online location from which the person or
30business knows the resident customarily accesses the account.

end insert

31(k) Notwithstanding subdivision (j), a person or business that
32maintains its own notification procedures as part of an information
33security policy for the treatment of personal information and is
34otherwise consistent with the timing requirements of this part, shall
35be deemed to be in compliance with the notification requirements
36of this section if the person or business notifies subject persons in
37accordance with its policies in the event of a breach of security of
38the system.

P48   1

1798.82.  

(a) A person or business that conducts business in
2California, and that owns or licenses computerized data that
3includes personal information, shall disclose a breach of the
4security of the system following discovery or notification of the
5breach in the security of the data to a resident of California whose
6unencrypted personal information was, or is reasonably believed
7to have been, acquired by an unauthorized person. The disclosure
8shall be made in the most expedient time possible and without
9unreasonable delay, consistent with the legitimate needs of law
10enforcement, as provided in subdivision (c), or any measures
11necessary to determine the scope of the breach and restore the
12reasonable integrity of the data system.

13(b) A person or business that maintains computerized data that
14includes personal information that the person or business does not
15own shall notify the owner or licensee of the information of the
16breach of the security of the data immediately following discovery,
17if the personal information was, or is reasonably believed to have
18been, acquired by an unauthorized person.

19(c) The notification required by this section may be delayed if
20a law enforcement agency determines that the notification will
21impede a criminal investigation. The notification required by this
22section shall be made promptly after the law enforcement agency
23determines that it will not compromise the investigation.

24(d) A person or business that is required to issue a security
25breach notification pursuant to this section shall meet all of the
26following requirements:

27(1) The security breach notification shall be written in plain
28begin delete language.end deletebegin insert language, shall be titled “Notice of Data Breach,” and
29shall present the information described in paragraph (2) under
30the following headings: “What Happened,” “What Information
31Was Involved,” “What We Are Doing,” “What You Can Do,” and
32“For More Information.” Additional information may be provided
33as a supplement to the notice.end insert

begin insert

34(A) The format of the notice shall be designed to call attention
35to the nature and significance of the information it contains.

end insertbegin insert

36(B) The title and headings in the notice shall be clearly and
37 conspicuously displayed.

end insertbegin insert

38(C) The text of the notice and any other notice provided pursuant
39to this section shall be no smaller than 10-point type.

end insertbegin insert

P49   1(D) For a written notice described in paragraph (1) of
2subdivision (j), use of the model security breach notification form
3prescribed below or use of the headings described in this
4paragraph with the information described in paragraph (2), written
5in plain language, shall be deemed to be in compliance with this
6subdivision.

end insert
7
begin insertend insert
begin insert

15(E) For an electronic notice described in paragraph (2) of
16subdivision (j), use of the headings described in this paragraph
17with the information described in paragraph (2), written in plain
18language, shall be deemed to be in compliance with this
19subdivision.

end insert

20(2) The security breach notificationbegin insert described in paragraph (1)end insert
21 shall include, at a minimum, the following information:

22(A) The name and contact information of the reporting person
23or business subject to this section.

24(B) A list of the types of personal information that were or are
25reasonably believed to have been the subject of a breach.

26(C) If the information is possible to determine at the time the
27notice is provided, then any of the following: (i) the date of the
28breach, (ii) the estimated date of the breach, or (iii) the date range
29within which the breach occurred. The notification shall also
30include the date of the notice.

31(D) Whether notification was delayed as a result of a law
32enforcement investigation, if that information is possible to
33 determine at the time the notice is provided.

34(E) A general description of the breach incident, if that
35information is possible to determine at the time the notice is
36provided.

37(F) The toll-free telephone numbers and addresses of the major
38credit reporting agencies if the breach exposed a social security
P51   1number or a driver’s license or California identification card
2number.

3(G) If the person or business providing the notification was the
4source of the breach, an offer to provide appropriate identity theft
5prevention and mitigation services, if any, shall be provided at no
6cost to the affected person for not less than 12begin delete months,end deletebegin insert monthsend insert
7 along with all information necessary to take advantage of the offer
8to any person whose information was or may have been breached
9if the breach exposed or may have exposed personal information
10defined in subparagraphs (A) and (B) of paragraph (1) of
11subdivision (h).

12(3) At the discretion of the person or business, the security
13breach notification may also include any of the following:

14(A) Information about what the person or business has done to
15protect individuals whose information has been breached.

16(B) Advice on steps that the person whose information has been
17breached may take to protect himself or herself.

begin delete end deletebegin delete

18(4) In the case of a breach of the security of the system involving
19personal information defined in paragraph (2) of subdivision (h)
20for an online account, and no other personal information defined
21in paragraph (1) of subdivision (h), the person or business may
22comply with this section by providing the security breach
23notification in electronic or other form that directs the person whose
24personal information has been breached promptly to change his
25or her password and security question or answer, as applicable, or
26to take other steps appropriate to protect the online account with
27the person or business and all other online accounts for which the
28person whose personal information has been breached uses the
29same user name or email address and password or security question
30or answer.

end deletebegin delete end deletebegin delete end deletebegin delete

31(5) In the case of a breach of the security of the system involving
32personal information defined in paragraph (2) of subdivision (h)
33for login credentials of an email account furnished by the person
34or business, the person or business shall not comply with this
35section by providing the security breach notification to that email
36address, but may, instead, comply with this section by providing
37notice by another method described in subdivision (j) or by clear
38and conspicuous notice delivered to the resident online when the
39resident is connected to the online account from an Internet
P52   1Protocol address or online location from which the person or
2business knows the resident customarily accesses the account.

end deletebegin delete end delete

3(e) A covered entity under the federal Health Insurance
4Portability and Accountability Act of 1996 (42 U.S.C. Sec. 1320d
5et seq.) will be deemed to have complied with the notice
6requirements in subdivision (d) if it has complied completely with
7Section 13402(f) of the federal Health Information Technology
8for Economic and Clinical Health Act (Public Law 111-5).
9However, nothing in this subdivision shall be construed to exempt
10a covered entity from any other provision of this section.

11(f) A person or business that is required to issue a security breach
12notification pursuant to this section to more than 500 California
13residents as a result of a single breach of the security system shall
14electronically submit a single sample copy of that security breach
15notification, excluding any personally identifiable information, to
16the Attorney General. A single sample copy of a security breach
17 notification shall not be deemed to be within subdivision (f) of
18Section 6254 of the Government Code.

19(g) For purposes of this section, “breach of the security of the
20system” means unauthorized acquisition of computerized data that
21compromises the security, confidentiality, or integrity of personal
22information maintained by the person or business. Good faith
23acquisition of personal information by an employee or agent of
24the person or business for the purposes of the person or business
25is not a breach of the security of the system, provided that the
26personal information is not used or subject to further unauthorized
27disclosure.

28(h) For purposes of this section, “personal information” means
29either of the following:

30(1) An individual’s first name or first initial and last name in
31combination with any one or more of the following data elements,
32when either the name or the data elements are not encrypted:

33(A) Social security number.

34(B) Driver’s license number or California identification card
35number.

36(C) Account number, credit or debit card number, in
37combination with any required security code, access code, or
38password that would permit access to an individual’s financial
39account.

40(D) Medical information.

P53   1(E) Health insurance information.

begin insert

2(F) Information or data collected through the use or operation
3of an automated license plate recognition system, as defined in
4Section 1798.90.5.

end insert

5(2) A user name or email address, in combination with a
6password or security question and answer that would permit access
7to an online account.

8(i) (1) For purposes of this section, “personal information” does
9not include publicly available information that is lawfully made
10available to the general public from federal, state, or local
11government records.

12(2) For purposes of this section, “medical information” means
13any information regarding an individual’s medical history, mental
14or physical condition, or medical treatment or diagnosis by a health
15care professional.

16(3) For purposes of this section, “health insurance information”
17means an individual’s health insurance policy number or subscriber
18identification number, any unique identifier used by a health insurer
19to identify the individual, or any information in an individual’s
20application and claims history, including any appeals records.

begin insert

21(4) For purposes of this section, “encrypted” means rendered
22unusable, unreadable, or indecipherable to an unauthorized person
23through a security technology or methodology generally accepted
24in the field of information security.

end insert

25(j) For purposes of this section, “notice” may be provided by
26one of the following methods:

27(1) Written notice.

28(2) Electronic notice, if the notice provided is consistent with
29the provisions regarding electronic records and signatures set forth
30in Section 7001 of Title 15 of the United States Code.

31(3) Substitute notice, if the person or business demonstrates that
32the cost of providing notice would exceed two hundred fifty
33thousand dollars ($250,000), or that the affected class of subject
34persons to be notified exceeds 500,000, or the person or business
35does not have sufficient contact information. Substitute notice
36shall consist of all of the following:

37(A) Email notice when the person or business has an email
38address for the subject persons.

39(B) Conspicuousbegin delete postingend deletebegin insert posting, for a minimum of 30 days,end insert of
40the notice on the Internet Web site page of the person or business,
P54   1if the person or business maintains one.begin insert For purposes of this
2subparagraph, conspicuous posting on the person’s or business’s
3Internet Web site means providing a link to the notice on the home
4page or first significant page after entering the Internet Web site
5that is in larger type than the surrounding text, or in contrasting
6type, font, or color to the surrounding text of the same size, or set
7off from the surrounding text of the same size by symbols or other
8marks that call attention to the link.end insert

9(C) Notification to major statewide media.

begin insert

10(4) In the case of a breach of the security of the system involving
11personal information defined in paragraph (2) of subdivision (h)
12for an online account, and no other personal information defined
13in paragraph (1) of subdivision (h), the person or business may
14comply with this section by providing the security breach
15notification in electronic or other form that directs the person
16whose personal information has been breached promptly to change
17his or her password and security question or answer, as applicable,
18or to take other steps appropriate to protect the online account
19with the person or business and all other online accounts for which
20the person whose personal information has been breached uses
21the same user name or email address and password or security
22question or answer.

end insertbegin insert

23(5) In the case of a breach of the security of the system involving
24personal information defined in paragraph (2) of subdivision (h)
25for login credentials of an email account furnished by the person
26or business, the person or business shall not comply with this
27section by providing the security breach notification to that email
28address, but may, instead, comply with this section by providing
29notice by another method described in this subdivision or by clear
30and conspicuous notice delivered to the resident online when the
31resident is connected to the online account from an Internet
32Protocol address or online location from which the person or
33business knows the resident customarily accesses the account.

end insert

34(k) Notwithstanding subdivision (j), a person or business that
35maintains its own notification procedures as part of an information
36security policy for the treatment of personal information and is
37otherwise consistent with the timing requirements of this part, shall
38be deemed to be in compliance with the notification requirements
39of this section if the person or business notifies subject persons in
P55   1accordance with its policies in the event of a breach of security of
2the system.