Civil Code 1798.29(a)-(c) (2002; amended by AB 1298, 2007)
Summary:
Any agency that owns or licenses computerized data shall disclose any security breach to any California resident whose unencrypted personal information (including medical information) was acquired by an unauthorized person. Any agency that maintains computerized data that includes personal information that the agency does not own shall notify the owner or licensee of the information of any security breach immediately following discovery that the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Notification may be delayed if a law enforcement agency determines that it will impede a criminal investigation; in which case, notification shall be made after the law enforcement agency determines that it will not compromise the investigation.
Statutory Scheme:
Information Practices Act(IPA)Parties Bound:
Any agency that owns, licenses, or maintains computerized data that includes personal information Associated Federal Law(s):
Breach notification requirement for vendors of personal health records and other non-HIPAA covered entities : After discovering a breach of security of unsecured PHR identifiable health information, the vendor of personal health records must notify affected individuals and the FTC. Third party service providers must similarly notify the vendors of security breaches.
Associated Federal Law(s):
Timeliness of notification : All breach notifications shall be sent no case later than 60 calendar days after the discovery of a breach of security. If a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security, the notification shall be delayed.