This article is for information purposes only. Please contact a privacy attorney for specific guidance.
According to the California Consumer Privacy Act's (CPRA) Data Breach Notification Law, organizations in California are required to notify their consumers in the event of a data breach.
California law requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person. (California Civil Code s. 1798.29(a) [agency] and California Civ. Code s. 1798.82(a) [person or business].)
Any person or business that is required to issue a security breach notification to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. (California Civil Code s. 1798.29(e) [agency] and California Civ. Code s. 1798.82(f) [person or business].)
The law states a breach must be reported to law enforcement and consumers affected as soon as possible and may only be delayed if a written or oral statement from law enforcement is provided stating notification would impede an investigation. In addition, if a single breach affects more than 500 consumers, the California Attorney General must also be notified.
A breach notification includes several sections, including what happened, what information was compromised, what actions are being taken, and what consumers can do to protect their data. The description of the breach itself must be written in plain language and contain a minimum of the following:
The organization itself can decide if it wishes to publish additional information regarding what steps it has taken to protect the affected consumers and any advice it has for individuals to take.