Become a member
Compliance & regulations

Data breach

Attackers can gain access to vulnerable accounts elsewhere, compromising the security of your valued customers. See how you can protect your business and gain consumer trust with the Data Privacy Institute.

Data Breach Requirements According to the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA)

These two state Authorities, the CCPA and the CPRA outline the proper response procedures for data breaches with very specific notification requirements and courses of action. Companies are required to implement and have in place security measures to protect collected data from unauthorized usage and access. Failure to provide proper security safeguards and systems can result in data breach incidents that must be reported following specific guidelines outlined in the CCPA/CPRA regulations.

When to notify

  • Once a data breach is discovered, the company’s data controller and processors must notify California consumers “Without unreasonable delay” and all third parties and processors must notify data controllers as soon as possible upon discovery of a data breach incident or security lapse. (Exceptions for ongoing law enforcement investigations that could be affected by the notification.)

Who to notify

  • All CA residents that would be affected by the unauthorized release of personal data and information.
    The regulatory authorities (CPPA) and the CA State AG office must also be notified in the event the incident impacts more than 500 CA residents.

How to notify

The “Notice of Data Breach” notification must be written in plain language and must “call attention to the nature and significance of the information it contains” with clear headings/titles and text no smaller that 10 pt font. Notices must also include the following:

  • Identities and contact information for the organizations involved in the data breach incident
  • A summary and description of the data breach incident
  • Disclosure and notification of the type and inventory of personal data involved in the breach
  • Dates of occurrences (EX: when breach occurred, incident report dates)
  • If the data breach involved specific fields of data that could result in identity theft (SS#, Drivers License, CA ID#, Credit Card Data); notifications must include contact information for relevant Credit Reporting Agencies (CRA). In instances involving data breach that requires CRA notification, the organization must also provide identity theft services to consumers affected by the breach for up to 1 year.
In circumstances where providing notice could cause an undue financial burden for the organization ($250,000+ in incurred costs) OR the organization does not have contact information of affected individuals OR if the data breach incident involved 500,000 or more individuals, organizations must contact media throughout the state of CA to inform the public about the incident as well as notify the CA Office of Information Security as well as applicable CA authorities. The notice must be easily accessible and available on the organization's website for a minimum of 30 days.

What constitutes a data breach?

There are several incidents that could constitute a data breach under CCPA/CPRA. Some of the most common events are:

  • Ransomware
  • Stolen or lost Physical Records
  • Data Theft
  • Transfer of data without proper opt-in from consumer
  • Improperly updated or modified data
  • Providing unauthorized access or accidental exposure of data

Get your free compliance checklist