What’s Required by California’s Data Security and Breach Notification Law?

February 27th, 2018
What’s Required by California’s Data Security and Breach Notification Law?

Every US state has data protection and breach notification laws that are designed to protect consumers’ privacy and security. These regulations have the best intentions, but are often extremely complicated, not least because of variations between local state laws.

Here in California, the law requires businesses to notify customers whenever their personal information has been or is believed to have been acquired by an unauthorized third party.

These laws (California Civil Codes 1798.29 and 1798.82) apply to all individuals and companies that store information electronically, either for their own needs or on behalf of other entities. Businesses are also required to inform the attorney general if a single data breach involves more than 500 residents of the state.

What Sort of Data Does the Law Apply To?

Breach notification laws are intended to protect personally identifiable information by requiring organizations to inform their customers whenever their private data might have been compromised.

To that end, it covers any data that includes an individual’s first or last name in combination with any additional personal data, such as social security numbers, medical information, payment data, driver’s license number, identification numbers, or account and login details.

The law also concerns all encrypted data for which the decryption key or other necessary credentials have been stolen or leaked.

How to Notify Your Customers of a Breach

The first and most important thing to understand is precisely what a data breach looks like, insofar as the law is concerned. Simply put, a breach occurs whenever personally identifiable information that your company is responsible for becomes accessible to unauthorized parties. Even if you’re not sure whether compromised files have been copied or shared, you will still be legally obligated to inform your customers that the possibility arose.

Not only is immediately notifying your customers a legal requirement in California and most other US states, it will also help protect your reputation at a time when it can be under severe threat.

If your business suffers a breach, a quick announcement could save you from being skewered by the public (just look at Equifax's 3-month response time). The law also stipulates some especially strict and specific requirements for the data breach notification, so it’s usually easier to use a notification template to ensure you include everything that’s required. Doing so will also ensure you stay fully compliant with the law.

You Need a Proactive Approach to Data Security

While there’s no such thing as a system that’s 100% immune to data breaches, that doesn’t mean you can’t significantly reduce the chance that you'll ever need to comply with breach notification laws. With the right technology and expertise on your side, you’ll be able to proactively protect your business and customers in ways that prepare you for the worst.

One of the most important features of any robust cybersecurity strategy is round-the-clock monitoring. After all, cybercriminals don’t take a break, and modern security can’t afford to rest on its laurels either. With 24/7 monitoring from a managed IT services provider, your business will have everything it needs to stay informed. In other words, if there is any attempted access to your network by an unauthorized user, you’ll know about it right away, thus giving you ample opportunity to stop the threat dead in its tracks and mitigate any damage in the process.

As the adage goes, the best offense is a good defense, and in no case is this truer than it is with cybersecurity. That’s why OC-IT is here to offer our clients the proactive care they need to protect their businesses from data breaches and stay compliant with industry regulations.