California Civil Code § 1798.29 (state agencies) & § 1798.80 et seq
Enacted: 1798.29- 7.1.2003 & 1798.82- 9.26.2002
Type of Data Covered: §1789.29 & §1789.82 only cover the computerized data and do not apply to physical forms of data. See §1789.29(a) & §1789.82(g).
Is Breach Defined?
Yes! In §1789.29(f) the definition is as follows: "For purposes of this section, “breach of the security of the system” means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the agency. Good faith acquisition of personal information by an employee or agent of the agency for the purposes of the agency is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure."
The definition is exactly the same in §1789.82(g).
When is notice required?
§1789.29: Subsection A says "disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement,..., or any measures necessary to determine the scope of the breach and restore integrity of the data system." Subsection D details the exact information that must be included in the notice and the specific formatting that must be used. Breaches impacting over 500 residents trigger a requirement that a copy of the breach notice be sent to the Attorney General's office. Subsection I specifies that written, electronic, and substitute notice may be used depending on the circumstances.
§1789.82: While the section headings are different, the language is the same in both sections for notice requirements. The notice requirements are extremely detailed and do not leave much room for companies to get creative with the disclosure. These requirements mitigate the obfuscation efforts of companies that have a security breach.
What are the penalties for non-compliance?
Any customer that is injured may institute a civil action under §1789.82 to recover damages and any business that violates the requirements may be enjoined. There are no statutory damage provisions under §1789.29 and the Attorney General has enforcement rights.