In this post, we’ll quickly cover the highlights of what you need to know about California’s Data Breach Notification Statute.
What is California’s Data Breach Notification Law?
Many states in the US have data privacy and protection statutes as part of their legal codes. For the most part, these codify what types of PII/PI constitute a data breach, as well as when and how an entity doing business should communicate with customers if a data breach occurs.
California’s Data Breach Notification Law vs CCPA
The California Data Breach Notification Law should not be confused with the California Consumer Privacy Act or the California Privacy Rights Act (colloquially known as “CCPA 2.0”). The data breach notification law, passed in 2003, predates the CCPA by nearly two decades. All of these laws, however, are part of the same legal framework. The CCPA/CPRA predominantly gives consumers certain rights—like Right to Know, Right to Delete, etc.—that requires companies to know where Californians’ personal information is stored.
It’s worth noting, though, that the CCPA does contain an enforcement mechanism tied to data breaches through “Private Right of Action” which allows customers who are impacted by a data breach to sue the breached organization. Penalties can range from $100 to $750 per consumer per incident.
What does the California Data Breach Notification Law say?
The law (Cal. Civ. Code §1798.82) centers around defining when notification of data breaches occur, and what types of personal information (PI) constitute a data breach.
Any entity (person or business) that conducts operations in California and manages/stores/uses digital personal information is required to disclose security breaches immediately after discovering or becoming aware of them. The law has an exception in instances where notifications may be delayed by law enforcement investigations.
Included with the law is a template illustrating the format that a data breach notification should take. Additionally, the law defines what information constitutes exposure of personal information. See the subsections quoted verbatim below.
For purposes of this section, “personal information” means either of the following:
(1) An individual’s first name or first initial and last name in combination with anyone or more of the following data elements, when either the name or the data elements are not encrypted:
(A) Social security number.
(B) Driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.
(C) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
(D) Medical information.
(E) Health insurance information.
(F) Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes.
(G) Information or data collected through the use or operation of an automated license plate recognition system, as defined in Section 1798.90.5.
(H) Genetic data.
(2) A username or email address, in combination with a password or security question and answer, that would permit access to an online account.
How can you protect California PI?
California takes data privacy and security enforcement seriously, which means that if you have the personal information of any Californians, you’ll need to ensure that it’s not exposed to unauthorized parties.
Many companies use Nightfall, a cloud-native data loss prevention solution, to accomplish this. Nightfall integrates with cloud services like Slack, Confluence, Salesforce, Google Drive, and more in order to discover, classify, and protect sensitive data. Nightfall uses machine learning detectors, each trained on a specific type of PII or sensitive data—like person name, address, API keys, and more—in order to classify content in a file or message. Once identified, this sensitive data can be remediated through some action like redaction or, if appropriate, deletion.
Nightfall’s simple interface allows you to create remediation policies that tell the platform:
- What type of data Nightfall’s machine detectors should look for.
- Where Nightfall should scan for the data within a given app. For example, in Slack you can scan within public and private channels, DMs, or Slack Connect channels depending on which tier of Nightfall you’re using. Use the PI template below to see where you should scan for Californian personal information.
- How to handle any positive findings. Nightfall can be configured to take remediation actions automatically. Because Nightfall integrates at the API level, all actions are contextually relevant and specific to each app. For example, within Slack policies, you’re allowed to automatically redact any message containing sensitive data. However, in Google Drive, you’re able to alter the permissions of any files containing sensitive data.
- Alert. Alert you to inappropriately exposed PII in a message or file. This happens automatically, but you need to specify if you want to receive alerts via email, Slack, or send them (via webhook) to a SIEM. Alerts contain detailed metadata that give you all the context you need to assess your risk.
- User Education. Notify end users about any policy violations they’ve created. Notifications can contain custom messages, allowing you to educate employees about proper etiquette and policy to turn an incident into a teachable moment. This action can be taken manually or automated.
- Delete. Completely delete the file or message containing the finding. This is an action that can be taken manually or automated.
- And much more
California data breach & PI templates
You can use Nightfall to discover, classify, and protect any California-defined PI from accidental exposure. For most standard scenarios, we recommend the following Detection Rule templates to protect California Personal Information: