The California legislature passed the nation’s first data breach notification statute in 2003, the California Data Protection Act (CDPA). Since this landmark legislation was enacted, over 30 states have passed similar statutes. The law is another example of California’s trendsetting legislation in the area of privacy.

What the CDPA requires

The CDPA requires that any business that “owns or licenses personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” Further, it requires a business to notify individuals affected by a data breach “in the most expedient time possible and without unreasonable delay.”

Definition of “personal information”

The CDPA broadly defines “personal information” to include:

• An individual’s signature;
• A person’s physical characteristics or description;
• Information collected through an automated license plate recognition system; and
• An individual’s employment and employment history.

Compliance

The CDPA also contains requirements in case a company suffers a data breach and responds by offering some remedial mitigation of the data breach to those affected. If a business offers “identity theft prevention and mitigation services” to those affected by the breach, it must do so at no cost for at least 12 months. Another requirement that is extremely important for employers to know is that businesses affected by a data breach are mandated by the CDPA to submit a sample of the data breach notification letter to the California Attorney General. California law is unique in many ways and contains many distinct, esoteric provisions.

Typical scams

Often, scammers use stolen data from companies to use employees’ email addresses and other personal information to set up phishing scams using a fraudulent email message, which appears to be legitimate, and then directs the reader to a phony website to divulge private personal information. The perpetrators then use this information to commit identity theft.

It is important for California employers to have a data protection and data breach notification plan. If you are an employer in California, it is important to obtain sound legal guidance for your business. DeAnn Flores Chase and her team of experienced attorneys can advise you on all your business needs. Contact Chase Law Group, P.C. at (310) 545-7700 or visit www.chaselawmb.com to schedule a consultation.