Data Breach FAQ

Under California Civil Code Section 1798.82, a data breach is defined as unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person or business. California was the first state to enact a data breach notification law in 2002, and the law has been strengthened several times since then.

The definition of breach focuses on unauthorized acquisition, meaning that mere unauthorized access without acquisition may not trigger notification obligations, though some businesses notify out of caution. The breach must involve personal information, which California defines to include specific categories of data such as Social Security numbers, driver's license numbers, financial account information, medical information, health insurance information, and unique biometric data.

The breach must also compromise the security, confidentiality, or integrity of the data, which generally means the data was actually taken or exposed in a way that could harm consumers. Encryption provides a safe harbor: if breached data was encrypted and the encryption key was not compromised, notification may not be required because the data remains protected.

California Civil Code Section 1798.82 specifies the categories of personal information that trigger breach notification requirements. Notification is required when a breach involves a California resident's first name or first initial and last name in combination with any of the following unencrypted data elements: Social Security number, driver's license number or California identification card number, financial account number or credit or debit card number in combination with any required security code or password, medical information, health insurance information, unique biometric data such as fingerprints, retina images, or other physical characteristics used for authentication, or a username or email address in combination with a password or security question and answer that would permit access to an online account.

The law also requires notification if a business that maintains encrypted personal information experiences a breach that also compromises the encryption key. Additionally, if a breach involves a California resident's username or email address combined with a password or security question enabling account access, the business must provide notice in electronic or other form directing the user to change their password and security questions, or take other appropriate steps to protect the account.

California law imposes specific requirements for data breach notifications. Under California Civil Code Section 1798.82, notification must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and any measures necessary to determine the scope of the breach and restore reasonable integrity of the data system.

The notification must be written in plain language and include the name and contact information of the entity reporting the breach, a list of the types of personal information that were or are reasonably believed to have been involved, the date of the breach if known, the date the breach was discovered, whether notification was delayed due to a law enforcement investigation, a general description of the breach incident, the toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed information that could be used for identity theft, and at the entity's discretion, advice on steps the consumer may take to protect themselves.

If the breach involves more than 500 California residents, the entity must also submit a sample copy of the notification to the California Attorney General. Notifications may be provided by mail, email if the consumer has consented to electronic notice, or through substitute notice methods if direct notice is not feasible.

If you receive a data breach notification in California, taking prompt action can help protect yourself from potential harm. First, read the notification carefully to understand what information was compromised, when the breach occurred, and what steps the company is taking to address it. Note whether they are offering free credit monitoring or identity theft protection services.

Second, change passwords immediately for any accounts that may have been affected. Use strong, unique passwords for each account, and enable two-factor authentication where available. Third, monitor your financial accounts closely for unauthorized transactions. Review bank statements, credit card statements, and other financial records. Report any suspicious activity immediately.

Fourth, consider placing a fraud alert or credit freeze with the three major credit bureaus: Equifax, Experian, and TransUnion. A fraud alert requires businesses to verify your identity before opening new accounts, while a credit freeze prevents new accounts from being opened entirely. Under California law, credit freezes are free. Fifth, obtain and review your credit reports from all three bureaus. You are entitled to free reports annually at annualcreditreport.com and additional free reports after a breach. Look for unfamiliar accounts or inquiries. Sixth, take advantage of any free credit monitoring or identity theft protection services offered by the breached company.

Yes, California law provides consumers with the ability to sue companies for data breaches under certain circumstances. The California Consumer Privacy Act, codified in California Civil Code Section 1798.150, creates a private right of action when a consumer's nonencrypted and nonredacted personal information is subject to unauthorized access, theft, or disclosure as a result of the business's failure to implement and maintain reasonable security procedures appropriate to the nature of the information.

Consumers may recover statutory damages between 100 and 750 dollars per consumer per incident, or actual damages if greater, plus injunctive relief. Before filing suit for statutory damages, you must provide the business with 30 days written notice identifying the CCPA provisions violated. If the business cures the violation within 30 days and provides written confirmation, you cannot proceed with the statutory damages claim, though you may still pursue actual damages.

Additionally, consumers may bring claims under other legal theories, including negligence if the company failed to exercise reasonable care in protecting data, breach of contract if the company's privacy policy or terms created contractual obligations, and violations of California's Unfair Competition Law. Class action lawsuits are common in data breach cases because many consumers are affected and individual damages may be small.

In California data breach lawsuits, consumers may potentially recover several types of damages depending on the legal claims and circumstances. Under the California Consumer Privacy Act, California Civil Code Section 1798.150 provides for statutory damages between 100 and 750 dollars per consumer per incident, or actual damages if they exceed the statutory amount. Statutory damages are available without proof of specific harm, making them particularly valuable in data breach cases where actual damages may be difficult to quantify.

Actual damages may include costs incurred to protect against or mitigate harm, such as credit monitoring expenses, the value of time spent dealing with the breach and its consequences, out-of-pocket losses from identity theft or fraud resulting from the breach, and emotional distress in some cases.

Injunctive relief may be obtained to require the company to implement improved security measures, stop certain practices, or provide ongoing protection services. Courts may award attorney fees in some data breach cases, particularly under consumer protection statutes that provide for fee-shifting. In class action settlements, damages are often distributed on a per-claimant basis, with amounts varying based on the total settlement fund and number of claimants. Individual lawsuits may result in higher per-person recoveries but require proof of specific damages.

A credit freeze, also known as a security freeze, is a powerful tool for protecting yourself after a data breach. When you place a credit freeze with a credit reporting agency, the agency cannot release your credit report to potential creditors without your authorization. This prevents identity thieves from opening new credit accounts in your name because most creditors require a credit report before approving new accounts.

Under California Civil Code Section 1785.11.2, consumers have the right to place, temporarily lift, and remove credit freezes for free. You must place freezes separately with each of the three major credit bureaus: Equifax, Experian, and TransUnion. When you place a freeze, you receive a PIN or password that you use when you want to lift the freeze temporarily, such as when applying for credit. You can lift the freeze for a specific creditor or for a specific period of time.

Freezes do not affect your credit score, your ability to get your free annual credit report, or credit monitoring services that use your credit report. They also do not prevent identity thieves from misusing existing accounts, so you should still monitor your accounts closely. Freezes are particularly valuable after breaches involving Social Security numbers or other information that could be used to open new accounts.

California law requires companies to notify affected consumers of data breaches in the most expedient time possible and without unreasonable delay under California Civil Code Section 1798.82. Unlike some states that specify exact timeframes such as 30 or 60 days, California's standard is more flexible but still demands prompt action.

The notification may be delayed only if a law enforcement agency determines that notification will impede a criminal investigation, in which case notification must be made after law enforcement determines it will no longer impede the investigation. The notification may also be delayed for the time necessary to determine the scope of the breach and restore the reasonable integrity of the data system. However, unreasonable delay is not permitted.

California courts and regulators have interpreted these requirements to mean that companies should notify consumers within approximately 30 to 60 days in most circumstances, accounting for the time needed for investigation and remediation. Delayed notification without legitimate justification can result in enforcement action by the California Attorney General and may strengthen private litigation claims. If a breach affects more than 500 California residents, the company must submit a sample notification to the Attorney General, which creates a public record and accountability mechanism.

California law requires businesses to implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information they hold. California Civil Code Section 1798.81.5 establishes this requirement, and the failure to maintain reasonable security is a key element of private lawsuits under the CCPA's data breach provisions.

While California law does not prescribe specific security measures, the California Attorney General has provided guidance indicating that the 20 Critical Security Controls published by the Center for Internet Security represent a minimum level of reasonable security. These controls include inventory and control of hardware and software assets, secure configuration of network devices and systems, continuous vulnerability management, controlled use of administrative privileges, secure configuration for mobile devices, maintenance and analysis of audit logs, email and web browser protections, malware defenses, and incident response capability.

What constitutes reasonable security depends on the nature of the information, the size and complexity of the business, and the cost and availability of security tools. Businesses should conduct risk assessments, implement appropriate technical and administrative safeguards, and regularly update their security practices.

The California Attorney General plays a significant role in data breach enforcement and consumer protection. Under California Civil Code Sections 1798.82 and 1798.84, the Attorney General has authority to bring civil actions against businesses that fail to comply with data breach notification requirements. The Attorney General can seek civil penalties, injunctive relief, and other remedies.

Companies experiencing breaches affecting more than 500 California residents must submit sample breach notifications to the Attorney General, creating a database of breaches that informs enforcement priorities. The Attorney General's office publishes annual data breach reports analyzing trends and providing guidance to businesses and consumers. The Attorney General also enforces the California Consumer Privacy Act, including its data security provisions.

Under the CCPA, the Attorney General can seek civil penalties of up to 2,500 dollars per violation or up to 7,500 dollars per intentional violation. The Attorney General has brought enforcement actions against companies with inadequate security practices and has obtained settlements requiring improved security measures, consumer notification, and monetary penalties. Additionally, the California Privacy Protection Agency, established by the California Privacy Rights Act, now shares enforcement authority for privacy law violations.