California Updates Its Data Breach Notification Law

Over the past four years, California’s Attorney General has received reports of 657 data breaches affecting more than 49 million records. In 2015 alone, nearly three in five Californians were victims of some kind of data leak. If it hasn’t yet happened to your business, it’s probably just a matter of time.

The sectors with the largest share of breaches were:

  • Retail (25%)
  • Financial services (18%)
  • Healthcare (16%)
  • Small businesses (15%) — Although they have less data than larger businesses, small businesses are still at significant risk.

When a data breach or leak occurs, California businesses are required by law to notify whoever is affected. But the laws have changed over the years, and it can be challenging to stay current with the most recent data breach notification law guidelines. That’s why Corodata makes a point of keeping up-to-date and advising its clients on this critical issue.

A Brief Background

California was the first state to enact a data breach notification law, intended to provide early warning to those at risk of identity theft when there is a reason to believe that personal information theft has occurred.

When California’s law first took effect in 2003, it focused on the types of information taken in financial identity theft. As new threats and technologies have emerged, the type of information covered by the law has since been updated several times.

In 2008, medical and health insurance information was added to the law’s scope. In 2013, the law was amended to include a username or email address, with a password or security question that permits access to an online account. In 2015, data from automated-license-plate-reader systems was added to the law’s definition.

2016 Data Breach Notification Law Update

Effective January 1, 2016, the data breach notification law’s provisions were updated again to require that data breach notices are written in a manner that is easy for your readers to understand, with clear instruction on how to take action. All notifications must now start with the simple title “Notice of Data Breach”, and include information about the breach under the following headlines:

  • What Happened
  • What Information Was Involved
  • What We Are Doing
  • What You Can Do
  • For More Information

Furthermore, it’s now mandated that the notice must be visibly posted on your business’s website for at least 30 days.

Not All Data Breaches are Digital

Although physical data breaches have declined in recent years, on-site incidents still account for up to 40 percent of data breaches.

Malware and Hacking

Intentional unauthorized intrusions into computer systems containing data. These types of breaches present the greatest threat having increased by 22% in the past four years. (Read: Paper documents are still relevant)

Physical Theft or Loss

Unencrypted data stored on a laptop, thumb drive or other device removed from owner’s control. This particularly affects the healthcare sector.


Intentional abuse of access privileges by an insider.


Anything unintentionally was done, like an email that you didn’t mean to send, someone looking at an unattended screen, or document, that exposes data to unauthorized individuals.

It’s important to protect your business from data leaks at all levels, and Corodata can help with that – with off-site records storage and shredding services that keep your sensitive records under control.