The CCPA released the California Data Breach Notification Law, effective on January 1, 2020. In addition, the enforcement date is set on July 1, 2020.
CCPA Purpose
CCPA or the California Consumer Privacy Act of 2018 is to provide California consumers more control over their private information. This privacy act is applicable to all business entities that collect their respective information.
In addition to this is the California Data Breach Notification Law.
California Data Breach Notification Law
This law complies the businesses to hand out written notices of a breach to all of those consumers included by an incident.
1. Who Should Be Notified?
- Individuals of which respective PII’s are in compromise during the breach.
- Businesses that were reasonably part of the breach.
What includes the PII (Personally Identifiable Information)?
- Complete name of a person
- Username or email address
- Passwords & security questions’ answers
- Social security number
- Driver’s license number
- California identification card number
- Consumer’s medical information
- Health insurance information
Furthermore, if a business should notify more than 500 California consumers:
The business should then submit a copy (as a sample) of that notification to California’s attorney general. In addition, this applies per breach or incident that occurs.
2. Mandatory Content Of Notification
In order for the notification to be compliant and valid, it must be written with the following details.
I. Title
Notification should be in plain language. Moreover, it should be with the as, “Notice of Data Breach”.
II. Content Of Notification
- Name & contact details of the person or entity reporting of the breach
- The PII list and types that were believed to be by an unauthorized person
- Also, include the date of the incident (it could be in estimate by date range)
- Inform if the notice is somewhat delayed. Or if it is a result of a law enforcement investigation
- Moreover, provide a general description of the incident
- Toll-free numbers and address of major credit reporting agencies
- The entity must provide an offer of appropriate identity theft prevention. Also, they should provide mitigation services for these affected consumers. All of which should be provided in at least a year after the incident.
- Detailed instructions on how to qualify for the 12-month Identity Prevention and Mitigation Services. Furthermore, terms and conditions should apply accordingly.
3. Further Details (Optional)
In addition to the said required content, the notice can also include the following information for further assurance.
- Safety measured enabled or done to enhance protection of affected individuals
- Steps that these affected individuals could take to personally protect themselves from further security harm.
4. When Should A Business Send A Notice
The best answer to this is as soon as possible.
On the other hand, chances are sending notifications may possibly impede a criminal investigation. Of this, the sending of notifications could be delayed. However, this is subject for confirmation by the law enforcement agency.
5. Mode Of Sending
Under the CCPA, the notification of breach can be in three different means. First, it can be done and sent in print. Secondly, it can be through electronic notices. Thirdly, it can be done with a valid substitute notice.