California has adopted laws and regulation similar to HIPAA that apply to any business in California. California Civ. Code s. 1798.82(a)) states that:
“A person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.”
This means any business in California must comply to these laws. Data breach can be spyware, stolen computers, hacked networks, stolen hard copy files, etc.
What is considered a “personal data” that is reportorial?
For purposes of this section, “personal information” means either of the following:
(1) An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
(A) Social security number.
(B) Driver’s license number or California identification card number.
(C) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
(D) Medical information.
(E) Health insurance information.
(2) A user name or email address, in combination with a password or security question and answer that would permit access to an online account.
(i) (1) For purposes of this section, “personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
(2) For purposes of this section, “medical information” means any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
(3) For purposes of this section, “health insurance information” means an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records.
The minimum penalty for a data breach is ad follows:
If the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed personal information.
This does not include the loss of income your company will suffer from your damage reputation or the time and money it will take to rebuild it.
Information found provided by http://leginfo.legislature.ca.gov/faces/codes.xhtml
For more info on California and HIPAA Laws http://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.&part=4.&chapter=&article=