Five Things California Businesses Should Know
Beginning on January 1, 2014, California businesses and agencies that license or own electronic data (including personal identifying information) must conform to updated security breach notification practices. In the past, businesses only had to notify customers if their information was compromised. Now, businesses must notify customers of any breach that might put information at risk. Some things businesses need to know about the updated requirement include:
A disclosure about any security breach must be made as soon as possible and without delay. The only exception is when law enforcement agencies deem that expedited disclosures could impact ongoing criminal investigations.
Disclosures must be in plain language and include the business name and contact information, the type of information at risk in the breach, the date of the breach, whether a delay in notification occurred, and toll-free phone numbers for California credit reporting agencies in the event CA driver’s licenses or social security numbers were at risk.
Disclosures must be made in writing or via electronic notification. A different method may be used if the breach impacted over 500,000 individuals, there isn’t sufficient contact information for sending disclosures, or the cost of mailed disclosures would exceed $250,000.
If a security breach only impacts user passwords, email addresses, or usernames, notification may be in the form of electronic communication directing individuals to reset passwords.
Breaches that involve email addresses along with login information must be disclosed via a contact method other than the email address involved.
For a security breach to fall under the new notification rules, it must put personal identifying information at risk. Such information is defined to include social security numbers, CA driver’s license numbers, account and credit card numbers, medical information, and health insurance information. Email addresses and user names are also included.
Did you know about the change in notifications laws? How are you protecting your customer’s PII, especially contained in printed documents?