Revised Data Security Breach Law Strengthened in California
The General Data Protection Regulation (GDPR), a comprehensive data protection law enacted by the European Union, came into effect on May 25, 2018. This regulation gives individuals within the EU greater control over their personal data. GDPR aims to strengthen and unify data protection for all individuals within the EU, requiring organizations to obtain explicit consent from individuals before collecting and processing their personal data.
Several popular platforms, including Facebook, Messenger, Twitter, Pinterest, LinkedIn, WhatsApp, and Email, are subject to GDPR. Non-compliance with GDPR can result in heavy fines.
On the other side of the Pacific, California has its own set of data protection laws. Under California Civil Code section 1798.29(a), businesses that own or license computerized data containing personal information must notify California residents in the event of a data breach involving that information. The requirement is to disclose the breach "in the most expedient time possible and without unreasonable delay," consistent with legitimate law enforcement needs and necessary measures to determine the breach’s scope and restore system integrity.
Key requirements include:
- The notification must be sent when there is unauthorized access to computerized data containing personal information, such as name combined with Social Security number, driver’s license number, California identification card number, financial account information, medical information, health insurance information, or username/email plus password or security question answers.
- The notice must include a description of the breach incident, the type of information involved, and steps consumers can take to protect themselves.
- Notification methods may include written notice by mail, electronic notice if that is the primary means of communication with the person, or substitute notice if certain conditions are met, such as email, posting on the website, or press release.
It is essential to note that this statute creates enforceable obligations to notify consumers personally affected by data breaches involving their personal data. For comprehensive compliance, businesses should also consider related requirements under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), which impose additional obligations beyond s. 1798.29(a).
Moreover, GDPR also grants individuals the right to access, correct, erase, and restrict the processing of their personal data. In certain cases, GDPR mandates the appointment of a Data Protection Officer. It is crucial to remember that GDPR applies to any organization that processes the personal data of EU residents, regardless of the organization's location.
In conclusion, both GDPR and California data breach notification laws underscore the importance of protecting personal data and notifying individuals in the event of a breach. Businesses must comply with these regulations to ensure they are maintaining the trust and security of their customers' personal information.
Technology plays a crucial role in ensuring compliance with data protection laws, as it enables businesses to efficiently manage and secure personal data. Adherence to GDPR and California's data breach notification laws demonstrates a commitment to finance practices that prioritize both business and individual interests.
These regulations not only protect the privacy of individuals but also guard businesses against potentially damaging fines and loss of customer trust. By complying with GDPR and California data breach laws, businesses can show that they value the security of their customers' personal information and prioritize ethical business conduct in the realm of technology and finance.
