Enhancing and Aligning the California Data Breach Notification Law with the CPRA
In the past I have done a deep dive on California’s Data Breach Notification Law and called for specific enhancements to it. I have also banged the drum for a while now for a national data breach law. Considering the recent SolarWinds and Colonial Pipeline attacks there is finally some momentum for a national data breach notification law. But even if a federal law were to come into being there needs to improvements to the California Data Breach Notification law and better alignment with the California Privacy Rights Act. I first provide a background on the why and what should be done to the California Data Breach Notification Law and then provide the proposed edits to the law itself.
Cybersecurity is not only a national security issue given recent attacks on our election system and critical infrastructure by nation states and organized crime, but increasingly a kitchen table issue for Californians. Californians now must grapple with the impact of their financial, medical and other personal data being stolen and compromised via a growing number of data breaches of corporate and government organizations, while at the same time trying to continuously avoid the growing minefield of phishing, malware and other types of cyberattacks that indiscriminately target them in their daily use of the Internet.
California was the first state to introduce a data breach notification law, but unfortunately many breaches are going unreported, leaving Californians in the dark regarding if their most sensitive personal information is in the hands of hackers.
The current California Data Breach Notification (CalDBNL) law has a much narrower definition of personal information and does not reflect a more up-to-date view of personal information that the newly passed California Privacy Rights Act (CPRA) reflects, e.g. it misses items in the CPRA definition of personal information such as internet activity information and commercial information such as purchasing histories, as well as “sensitive personal information” including genetic information and email and text messages.
Having consistency on what constitutes personal information would be helpful to businesses. It would also advantage consumers in that businesses would find less loopholes regarding if a breach should be reported or not, thereby forcing businesses to more accurately report their breaches.
Furthermore, enforcement of the CalDBNL should also be centralized with the new California Privacy Protection Agency (CalPPA). The CalPPA has responsibility for enforcing and regulating whether “a business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure.” Given that breaches are typically about the theft of personal information and a breach is a key indicator if a business is implementing proper security procedures or not, it better fulfills the intent of the CPRA for the regulators of these inter-related matters to be one and the same.
Europe’s privacy law (the General Data Protection Regulation or GDPR) requires businesses to report breaches to their country’s “supervisory authority” (an EU member state’s regulatory agency akin to California’s PPA), so having enforcement of breach notification under CalPPA would also parallel standard operating procedures for countries that have a comprehensive privacy law. i.e., it is best practice to have breach notification and privacy enforcement under the same regulatory body.
Coupled with my proposal for enhancing and aligning the Data Broker Registry Law with the CPRA, what I am advocating is regulation of privacy, data broker registration and data breach notification to be under the umbrella of the California Privacy Protection Agency. It just makes sense as regulation of data brokers and data breaches also involve consumer privacy information.
Proposed Changes to California Civil Code section 1798.82
Given the length of the California Data Breach Notification Law, I am just providing the changes to the relevant sections. Changes are in bold with color commentary in brackets [ ].
[the edit below changes the notification to the California Privacy Protection Agency from the Cal AG office]
(f) A person or business that is required to issue a security breach notification pursuant to this section to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the California Privacy Protection Agency. A single sample copy of a security breach notification shall not be deemed to be within subdivision (f) of Section 6254 of the Government Code.
[the edit below aligns the definition of personal information to be the definition found in the CPRA, thereby casting a wider net on what should be reported to the State of California]
(h) For purposes of this section, “personal information” has the meaning provided in subdivision (v) of Section 1798.140.
[the addition below gives the CalPPA regulatory and rule making power in the area of data breach notification, thus allowing the State of California to better react to changes happening with hacks.]
(l) On or before July 1, 2020, the California Privacy Protection Agency shall solicit broad public participation and adopt regulations to further the purposes of this title.