Cal. Civ. Code 1798.80 et seq.; Cal. Health and Safety Code 1280.15

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 2 minutes
Difficulty
Intermediate
CEU/CPE
7
Video Transcription
00:00
>> We're going to look at California's
00:00
data breach notification law,
00:00
California Civil Code 1798.80,
00:00
and also the California Health and Safety Code,
00:00
as they apply to data breach notification.
00:00
We have several learning objectives,
00:00
we're going to look at how this law
00:00
defines personal information,
00:00
how it defines a breach,
00:00
if there is a requirement for analysis of risk of harm,
00:00
if the law requires or grants
00:00
a safe harbor for encrypted personal information,
00:00
requirements for notifications to
00:00
individuals and regulators,
00:00
and then its enforcement and private cause
00:00
of action right to sue in
00:00
civil court and civil penalties
00:00
for noncompliance with this law.
00:00
Let's look at the law, who has to comply with it?
00:00
Any company's license operating
00:00
to operate within the State of California,
00:00
have to comply with this law.
00:00
Those companies themselves, those clinics,
00:00
health facilities, home health agencies, and hospices,
00:00
covered under the California Health and Safety Code,
00:00
they'd have to comply with
00:00
its medical information breach notification requirement
00:00
also must comply with this law,
00:00
especially when they breach applies to
00:00
a breach of patients medical information.
00:00
How does this law define personal information?
00:00
Much like we said earlier in this module,
00:00
this law defines personal information
00:00
as an individual first name and first
00:00
initial in his or her last name
00:00
in combination with one or more identifiers.
00:00
When the data self isn't encrypted,
00:00
we're talking about social security numbers,
00:00
driver's licenses,
00:00
California identification card numbers,
00:00
we're talking about tax identification numbers,
00:00
passport numbers, military identification numbers,
00:00
or other unique identification numbers
00:00
associated with some form of
00:00
US Government documentation used
00:00
to identify that individual.
00:00
Financial account numbers,
00:00
credit or debit card numbers
00:00
in combination with some type of
00:00
security access code or password
00:00
that provides access to
00:00
that individual's financial records.
00:00
Were talking about medical information,
00:00
health insurance information and
00:00
we are even talking about unique bio-metric data.
00:00
Now we're also talking about information in California,
00:00
data collected through the use of operation of
00:00
an automated license plate recognition system.
00:00
This also defines personal information
00:00
as an individual username or access in
00:00
combination with some type of access information like
00:00
a password or a security question that by air,
00:00
forget what permit the individual to
00:00
gain access to that online account.
00:00
When we talk about medical information,
00:00
we talked about any
00:00
individually identifiable information in
00:00
any format that identifies an individual.
00:00
That could include the patient's name, access,
00:00
electronic mail address,
00:00
telephone number or security number.
00:00
How does this law define a data breach?
00:00
It defines that as
00:00
the unauthorized acquisition of computerized data,
00:00
not data in paper format,
00:00
that compromises the security,
00:00
confidentiality, or integrity of personal information.
00:00
The medical statute also defines it
00:00
as unlawful or unauthorized access to
00:00
use or disclosure of
00:00
a patient's medical information in
00:00
any format that triggers this notification requirement.
00:00
In this case, the California law does
00:00
not require an analysis of risk of harm,
00:00
but it does allow for safe harbor
00:00
>> that if the information
00:00
>> is rendered unreadable, unusable, redacted,
00:00
or if it's encrypted,
00:00
then in certain circumstances,
00:00
then those companies that have to
00:00
comply with this law
00:00
>> do not have to provide notification.
00:00
>> Under the California law,
00:00
it doesn't have an explicit exception for
00:00
information that is indeed encrypted,
00:00
redacted or made unreadable.
00:00
What is the requirement for a notification individuals?
00:00
California says that those companies
00:00
and entities have to comply with this law,
00:00
must do so in the most expedient time
00:00
possible and without unreasonable delay.
00:00
It does allow for the company itself
00:00
to delay as notification if law enforcement requests,
00:00
it does so to complete
00:00
its investigation and in this case,
00:00
we're talking about a criminal investigation.
00:00
There are also medical
00:00
information requirements and it says
00:00
that covered entity or that must comply with this law,
00:00
must notify any California residents
00:00
affected by this breach no later than
00:00
15 business days after
00:00
the discovery of the breach has occurred.
00:00
What about notifying regulators?
00:00
It says that it has a numerical threshold
00:00
as those covered entities must provide
00:00
notification if more than 500 California residents
00:00
are impacted by this breach of their security systems.
00:00
For medical information it says that
00:00
those companies that must comply with this law must
00:00
notify the California Department of Health Services
00:00
no later than 15 days after it detects
00:00
the unauthorized access use and disclosure
00:00
of medical information as defined under this law.
00:00
This California law also
00:00
allows individuals that might be harmed
00:00
by this breach of their personal information and
00:00
medical information to sue in court to recover damages.
00:00
From a medical information perspective,
00:00
it doesn't allow California residents
00:00
to sue in civil court,
00:00
but it's the California
00:00
Department of Health Services that
00:00
has the opportunity to impose
00:00
several penalties against those companies
00:00
that violate the provisions
00:00
of this law respectively
00:00
>> the medical information statute.
00:00
>> It's $25,000 per patient whose information
00:00
was unlawfully or without authorization access,
00:00
it's up to $17,500 for
00:00
additional cases of unlawful when
00:00
authorize access use and
00:00
disclosure of the patient's medical information.
00:00
If that company itself that has to comply with
00:00
the medical statute does not do
00:00
so to provide timely notice,
00:00
then it can be fined $100 per
00:00
day after the first 15 day period,
00:00
now total penalty is for any one,
00:00
breach cannot exceed $250,000.
00:00
It is the State Attorney General
00:00
that enforces this law or
00:00
the California Department of Health and Human Services
00:00
in conjunction with the Attorney General
00:00
for breaches of medical information.
00:00
Question 1, asks
00:00
California's data breach notification law
00:00
defines personal information as
00:00
an individual's first-name or first,
00:00
initial, and his last name in combination with what,
00:00
of the following data elements?
00:00
The appropriate answers are A, B, C,
00:00
and D. Question 2,
00:00
ask California's data breach notification law states,
00:00
which of the following notification requirements?
00:00
Questions A, B, C,
00:00
and D. We also know that
00:00
there are requirements that if there are
00:00
breaches of medical information
00:00
as defined under this law then there are
00:00
also requirements and notification
00:00
and only to the State Attorney General,
00:00
but also to the California
00:00
Department of Health and Human Services,
00:00
not later than 15 days out there it
00:00
discovers a breach of medical information.
00:00
Some are we know that
00:00
California's data breach notification law
00:00
is the first of its kind
00:00
in the US and the absence of
00:00
a national data breach notification law.
00:00
We know that it defines
00:00
personal information in such a manner
00:00
that consists of individual first name, first initial,
00:00
last name in combination with several identifiers,
00:00
we know how it identifies or defines a data breach as
00:00
the unauthorized acquisition of
00:00
computerized data that compromises the security,
00:00
confidentiality, or integrity of
00:00
a California residents personal information.
00:00
We know it does have a limited safe
00:00
harbor provision for encrypting
00:00
information or data that's been rendered unreadable,
00:00
unusable, or it's been
00:00
redacted and compliance with the law.
00:00
We know the California law does not have
00:00
an analysis of risk or harm requirement
00:00
to determine if there were a low probability of
00:00
harm to affect California residence.
00:00
We do know that California law
00:00
has a requirement for a notification to regulators,
00:00
either the California State Attorney General
00:00
or to the California
00:00
Department of Health and Human Services,
00:00
depending on the type of data if
00:00
500 and more residents are
00:00
affected by breach of this information.
Up Next