A business that maintains records that include a customer’s name along any one of the following: signature, social security number, address, telephone number, physical description, passport number, driver’s license number, insurance policy number, education, employment, employment history, bank account number, credit card number, or any other financial, medical or health insurance information, must give a specific form of notice if the records are stolen or unauthorized access occurs.
If such a breach occurs, California Civil Code Section 1798.82 requires that the notice be in the following format. First the notice must have a conspicuous title at the top of the document that reads “NOTICE OF DATA BREACH.” The body of the notice must contain the following headings:
- What Happened?
- What Information Was Involved?
- What Are We Doing?
- What Can You Do?
- Other Information:
- For More Information:
Within these headings, the notice must provide
- The name and contact information of the person or business providing the notice
- A list of the types of personal information that are reasonably believed to be have been the subject of the breach.
- The date or dates (estimated if necessary) of the breach(s).
- A general description of the breach incident
- Whether the notice was delayed because of a law enforcement investigation
- The toll-free numbers and addresses of the major credit reporting agencies if the breach included social security or driver’s license information.
- If the person or business providing the notification was the source of the breach, an offer to provide identity theft protection and mitigation services, if any, shall be provided for a period of not less than 12 months if the data breach included both social security numbers and driver’s license numbers.
The notice may be in written form, in electronic form, or posted on the company’s website for a period of not less than 30 days provided that a link appears on the home page of the website that is in larger type than the surrounding text or is set off from the surrounding text by symbols or marks that call attention to the link.