Civil Code 1798.82(a)-(c) (2002; amended by AB 1298, 2007)

Summary:

Any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any security breach to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Any person or business that maintains computerized data that includes personal information that the person or business does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation, in which case, notification shall be made after the law enforcement agency determines that it will not compromise the investigation.

Keywords:
electronic health records, business, notice of records breach, law enforcement
Parties Bound: 
Any business or person that owns, licenses, or maintains computerized data that includes personal information
Subject Conferred Legal Right of Action: 
Civil Code 1798.84(b): Any customer injured by a violation of this title may institute a civil action to recover damages.
Associated Federal Law(s): 
ARRA HITECH Act 13402(a) and (d); interim final HHS regulations at 45 CFR 164.404
Notification in case of breach : Covered entities must notify individuals if their health information has been breached, within 60 calendar days of the discovery of breach.
Associated Federal Law(s): 
ARRA HITECH Act 13402(g); interim final HHS rules at 45 CFR 164.412
Notification in case of breach : Delay of notification authorized for law enforcement purposes