(a) (1) An individual or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person, and the person or business that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or usable. (2) (A) Subject to subparagraph (B), the disclosure required by this subdivision shall be made within 30 calendar days of discovery or notification of the data breach. (B) An individual or business may delay the disclosure required by this subdivision to accommodate the legitimate needs of law enforcement, pursuant to subdivision (c), or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system. (b) An individual or business that maintains computerized data that includes personal information that the individual or business does not own shall notify the owner or licensee of the information of the breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. (c) The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The notification required by this section shall be made promptly after the law enforcement agency determines that it will not compromise the investigation. (d) An individual or business that is required to issue a security breach notification pursuant to this section shall meet all of the following requirements: (1) The security breach notification shall be written in plain language, shall be titled âNotice of Data Breach,â and shall present the information described in paragraph (2) under the following headings: âWhat Happened?â âWhat Information Was Involved?â âWhat We Are Doing,â âWhat You Can Do,â and âFor More Information.â Additional information may be provided as a supplement to the notice. (A) The format of the notice shall be designed to call attention to the nature and significance of the information it contains. (B) The title and headings in the notice shall be clearly and conspicuously displayed. (C) The text of the notice and any other notice provided pursuant to this section shall be no smaller than 10-point type. (D) For a written notice described in paragraph (1) of subdivision (j), use of the model security breach notification form prescribed below or use of the headings described in this paragraph with the information described in paragraph (2), written in plain language, shall be deemed to be in compliance with this subdivision. [NAME OF INSTITUTION / LOGO] Date: [insert date] NOTICE OF DATA BREACH What Happened?  What Information Was Involved? What We Are Doing. What You Can Do.  Other Important Information. [insert other important information] For More Information. Call [telephone number] or go to [internet website] (E) For an electronic notice described in paragraph (2) of subdivision (j), use of the headings described in this paragraph with the information described in paragraph (2), written in plain language, shall be deemed to be in compliance with this subdivision. (2) The security breach notification described in paragraph (1) shall include, at a minimum, the following information: (A) The name and contact information of the rep
‹ Prev All California sections Next ›
Lexace provides legal information, not legal advice, and no attorney–client relationship is created. Statute text is provided for general information and may not reflect the most recent amendments; verify against the official state code.