If your business processes data belonging to residents of California, and you meet certain size or revenue requirements, you must abide by the California Consumer Privacy Act (CCPA). It doesn’t matter where your company is located; it can impact you regardless. A significant aspect of compliance is CCPA data breach notification. Similar to other frameworks in the US and globally, data subjects have a right to know if their information has been compromised.
Understanding the CCPA Data Breach Notification Requirements
In particular, requirements for data breach reporting are established in California Civil Code sections 1798.29 and 1798.82 for agencies and businesses or persons, respectively. Each set of rules is nearly identical. There are three components of CCPA specific to breach notification:
- The CCPA breach notification timeframe, or how soon companies must give notice
- The CCPA breach notification requirements for content, or what it needs to include
- The CCPA breach notification requirements for format, or how the notice must look
Beyond these, companies should also be keenly aware of the other major CCPA requirements for data privacy, which pertain to the four enumerated rights the CCPA grants to California residents.
CCPA Breach Notification Timeline and Potential Exceptions
California Civil Code requires all agencies, businesses, and persons that conduct business in California and preside over the personal data of California residents to notify those residents if their personal information is compromised. The notice must be delivered as soon as possible for the agency, business, or person. There cannot be delays, except for specific cases (see below).
The trigger for a breach notification is any instance in which an unauthorized individual acquires personal information of or belonging to a California resident. Specifically, the data must be unencrypted; if it is encrypted, a breach will only have occurred if there is reason to believe that the party who illegitimately obtained the information also has access to the encryption key or a security credential that would allow them to unencrypt or otherwise render the data readable.
Situations in Which Data Breach Notification May Be Delayed
While companies must provide notice immediately in almost all cases, exceptions are made for two primary reasons. The following exceptions apply to agencies, businesses, and persons:
- Companies may postpone notification of a data breach if a law enforcement agency deems it necessary. For example, if it could impact a criminal investigation, the breach notification can be delayed until as soon as possible after the investigation is complete.
- Companies may also postpone data breach notification if they determine that they need extra time to identify the scope of the breach and restore the integrity of files compromised.
In both cases, the law is not intended to provide a grace period for notification due to inability or unwillingness to notify impacted parties—it is to protect all impacted parties from further harm. A business also may not need to disclose a data breach if the data was already publicly available.
Other Regulatory Requirements That May Override CCPA’s
In some cases, adherence to the Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA) may satisfy compliance requirements for this California law. In particular, Civil Code 1798.82 (e) specifies that businesses and persons who are covered entities may follow the HIPAA procedures rather than the content and format details below.
HIPAA requires covered entities to notify all stakeholders impacted by a data breach no later than 60 days after breach discovery. In many cases, this may be a longer threshold than CCPA proper admits. Per HIPAA, covered entities must also report breaches to the secretary of the Department of Health and Human Services (HHS). This happens annually for small breaches or within the same 60-day timeframe for breaches impacting 500 or more individuals. In the latter case, the breach must also be reported to a media outlet local to the individuals impacted.
CCPA Breach Notification Specific Content Requirements
Beyond the CCPA breach notification timeframe, there are also nearly identical requirements for the content of breach reports issued by agencies, businesses, and persons. And, to understand these, you should first have a firm grasp of what the California Civil Code defines as personal data.
Companies need to report on all data breaches that include an individual’s first and last name, or their first initial and last name, together with other information that could be used to identify and harm them—provided these are unencrypted, as noted above. For example, social security, driver’s license, or other ID numbers could easily be used to verify the identity of a data breach victim.
Likewise, a credit card or bank account number could grant access to the victim’s finances directly, and medical information or biometric data could indirectly lead to damaging fraud.
Minimum Information Requirements for a Breach Notification
To help protect California residents against many forms of identity theft and other damage, California Civil Code requires the following information, at minimum, on a breach notification:
- Names and contact information of entities reporting on the data breach in question
- An itemized list of the types of data compromised or believed to be compromised
- The date of the breach, or a range within which it occurred, to the extent it is known
- Whether or not the notification being provided has been delayed for law enforcement
- A description of the breach incident to the extent it is known and possible to disclose
- Toll-free numbers for credit reporting agencies if SSN or license data is compromised
Companies should not spare details, sharing as much information as it is in the best interest of the impacted party to share, so long as sharing it does not put others or the company at risk.
Other Information Appropriate to Include in Breach Notification
Beyond these required forms of information, agencies, businesses, and persons may also elect to share certain categories of information at their discretion. The law’s suggestions include:
- Protections the company has enacted to minimize the damage the breach will cause to impacted parties, such as recovery and business continuity efforts being undertaken
- Advice concerning next steps impacted parties can take to protect their interests, such as ways in which they can help prevent or recover from similar attacks in the future
These sections are not required, but they may be advantageous to include. Companies may help mitigate reputational costs and salvage relationships with customers by instilling trust in the company’s handling of the incident. Attacks and leaks can happen to any company; customers want to know that they can trust the company to watch out for their best interests in a crisis.
CCPA Breach Notification Overall Formatting Requirements
The last major requirement for breach notifications laid out in the California Civil Code pertains to the format each notification should take. Most critically, the law explicitly states that notices must use clear, plainclothes language that recipients will easily understand. This begins with the title, which must read “Notice of Data Breach”—with no deviation in form.
The statutes also provide notice templates companies can use, with the following headers:
- “What Happened”
- “What Information Was Involved”
- “What We Are Doing”
- “What You Can Do”
- “For More Information”
These headers must be used, verbatim and in this exact order, to draw maximum attention to the categories of information and their significance. Any deviation may constitute non-compliance.
Acceptable Methods and Mediums for Data Breach Notification
Finally, California Civil Code also regulates the form an agency’s, business’s, or person’s data breach notification takes and the medium through which it’s communicated. Namely, there are three forms of notice entities may provide to satisfy the requirements detailed above:
- Written Notice – Delivered to impacted individuals’ current home or business address
- Electronic Notice – If the impacted party is eligible, per US Code Section 7001 Title 15
- Substitute Notice – If the number of notice recipients exceeds 500,000, the entity lacks sufficient contact information, or methods detailed above cost over $250,000:
- Email Notification, if a current email address is available for the impacted party
- Conspicuous Posting on the entity’s homepage for a period of at least 30 days
- Third-Party Notification, through media and the Office of Information Security
Note that agencies, businesses, and persons required to notify over 500 individuals must also send a sample copy of the notification, without personal information included, to the Attorney General.
Other Critical Components of CCPA and CPRA Compliance
Breach notification timeline, content, and format collectively make up just a few of the many issues companies need to consider concerning CCPA compliance. The CCPA’s entire body of applicable requirements is laid out across sections 1798.100 to 1798.199.100 of the Civil Code. They range from General Duties required of all entities that collect, store, transmit, or otherwise process Californians’ personal information to specific safeguards to implement.
The most critical components of the CCPA are the four enumerated rights it is designed to protect, which we will detail just below. The best way to cover for all of these protections is working with a CCPA compliance advisor, like RSI Security. First, our architecture implementation reduces the likelihood of breaches, and then incident management facilitates recovery and business continuity.
Data Subjects’ Right to Know About Data Collection and Uses
California residents have a right to know what personal information is collected from them, along with many details pertaining to its collection and use. Upon request, you may need to disclose:
- The types or categories of personal information collected from the data subject
- The specific files or other pieces of information collected from the data subject
- The sources from which data was collected, or the categories of these sources
- The intended purposes for which a subject’s personal information was collected
- The third parties with whom information is shared, or the categories of parties
- The categories or pieces of information sold or shared to these third parties
All information must be provided to eligible data subjects who request it (California residents), free of charge, and it must cover a period of up to 12 months prior to their request.
Data Subjects’ Right to Delete Certain Personal Information
California residents also have a right to request the deletion of their personal information. That is, they have a right to request that companies in control of said information delete it. However, this right is subject to many restrictions and exceptions, unlike the others detailed within the CCPA.
For example, businesses may legitimately deny requests related to this right if they can credibly prove that they are unable to verify the identity of the individual making the request. Businesses can also deny data subjects’ requests to delete for operational, security, or legal obligations.
Delays are also commonplace with respect to this right. A business does have to respond to a data subject’s request to delete within 45 days, but there is also a 45-day extension that can apply if they do. In practice, the effective deadline for a response in many cases is 90 days.
Data Subjects’ Right to Opt-Out of (Most) Sales of Their Data
A right with fewer exceptions than the right to outright deletion is data subjects’ right to opt-out of certain uses of their data. In particular, the CCPA grants residents of California the right to reject the sale of their personal information. Any business that sells personal information must provide a link on their website for data subjects to opt out of data sales without making a user account.
There are two situations in which this right may be overridden, and an opt-out request denied:
- When the sale of personal data is required for a business or legal purpose or obligation
- When the personal information in question is not subject to CCPA (medical records, etc.)
Note that, in the latter case, the data is almost certainly subject to similar requirements per HIPAA.
Data Subjects’ Right to Free Exercise of Their CCPA Rights
Finally, California residents are also guaranteed the right to exercise all other data privacy rights without incurring retaliation from the data controllers from whom they make relevant requests.
In practice, companies cannot refuse services to these individuals, nor can they offer different services or the same services at different price points. They may offer deals or incentives to customers willing to share their data, but all special offers must be commensurate to the shared data’s value. Customers have a right to know how their data relates to said offers, and those who opt-out of data sharing post-facto may lose any related promotional rates.
Rethink Your CCPA Compliance and Cybersecurity Program
RSI Security is committed to helping companies all across the US comply with the CCPA and any other regulatory frameworks that apply to them.
We will help your company build secure infrastructure to drastically reduce the likelihood and potential impact of a data breach, such as risk management and staff training. We can also facilitate detecting and reporting on breaches, along with all other elements of incident management and business continuity.
To catch up with applicable CCPA data breach notification and other requirements, contact RSI Security today!