Expanded Security Breach
Effective January 1, 2012
All Provider Types Affected
On August 18, 2011, the California Legislature passed Senate Bill 24 (“S.B. 24“), which amended California’s security breach notification law, Cal. Civil Code § 1798.82 (“Section 1798.82“), to include additional content and reporting requirements regarding breach notifications. Governor Brown signed these changes into law on August 31, 2011, and they become effective January 1, 2012. While some providers’ existing breach notification policies and procedures may comply with the new content requirements, which largely mirror the federal HITECH Act, Section 1798.82 also contains new reporting requirements that differ from existing federal and state laws, and with which providers will need to familiarize themselves as soon as possible. In addition, the changes to Section 1798.82 do not alter licensed health facilities’ breach notification obligations under Health & Safety Code § 1280.15 (“S.B. 541“).
Who Do These Changes Affect?
Section 1798.82 applies to all persons or businesses in California that own or license computerized data that includes “personal information.” Personal information includes an individual’s first name or first initial and last name, in combination with any one or more of a specified set of data elements,¹ when either the name or the data elements are not encrypted. Thus, the amendments to Section 1798.82 affect all persons or businesses that own or license electronic consumer records containing unencrypted data. This generally will include most, if not all, healthcare providers, and their “business associates” under HIPAA.
What Do the Changes Require?
S.B. 24 enacts four key changes to Section 1798.82:
Standardized contents of breach notifications. As amended, Section 1798.82(d) requires that security breach notifications be written in “plain language” and include, at a minimum, the following information:
- The name and contact information of the reporting person or business subject to Section 1798.82;
- A list of the types of personal information that were or are reasonably believed to have been the subject of a breach;
- If possible to determine at the time the notice is provided, the notice should include any of the following: (i) the date of the breach, (ii) the estimated date of the breach, or (iii) the date range within which the breach occurred.
- The date of the notice;
- Whether notification was delayed as a result of a law enforcement investigation, if that information is possible to determine at the time the notice is provided;
- A general description of the breach incident, if that information is possible to determine at the time the notice is provided; and
- The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a social security number or a driver’s license or California identification card number.
- In addition, at the discretion of the reporting person or business, the security breach notification may also include: (A) information about what the person or business has done to protect individuals whose information has been breached; and/or (B) advice on steps that the person whose information has been breached may take to protect himself or herself.
HITECH Act compliance by HIPAA covered entities deemed compliance with new content requirements. In an effort to coordinate California’s breach notification law with federal law, new Section 1798.82(e) provides that a “covered entity” under HIPAA will be deemed to have complied with the new notice content requirements under Section 1798.82(d) “if it has complied completely” with the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act“) notice content requirements set forth at 42 U.S.C. § 17932(f).
However, HITECH Act compliance will not exempt a covered entity from any other provision of Section 1798.82; e.g., the new reporting requirements, covered below. In addition, even if breach notification is not required under the HITECH Act (e.g., because the covered entity has determined that the incident does not pose a significant risk of financial, reputational, or other harm to the individual), breach notification may still be required under Section 1798.82, because California law does not contemplate a “harm analysis” as the HITECH Act does. Finally, because revised Section 1798.82(e) only exempts “covered entities” from the new notice content requirements, “business associates” under HIPAA still will be required to fully comply with their obligations under both the HITECH Act and Section 1798.82.
Attorney General notice required if more than 500 residents affected. New Section 1798.82(f) provides that any person or business that is required to issue a security breach notification pursuant to Section 1798.82 to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. That copy shall not be considered to be a record of complaint or investigation exempt from disclosure under the California Public Records Act.
“Substitute notice” now requires notice to Office of Privacy Protection. In situations where direct notice to affected individuals would be overly expensive or ineffective,² the law allows for “substitute notice” to be given instead. As amended, the substitute notice provisions of Section 1798.82(j) now require additional notification to the Office of Privacy Protection within the State and Consumer Services Agency. Under revised Section 1798.82(j), substitute notice must consist of all of the following:
- E-mail notice when the person or business has an e-mail address for the subject persons; and
- Conspicuous posting of the notice on the Internet Web site page of the person or business, if the person or business maintains one; and
- Notification to major statewide media and the Office of Privacy Protection within the State and Consumer Services Agency.
There are no explicit penalties for failure to comply with Section 1798.82. However, the California Attorney General could prosecute violations of Section 1798.82 as unfair business practices under California’s Business and Professions Code.
Background to the Changes.
S.B. 24 attempts to fill a perceived “gap” in California’s breach notification laws, which the bill’s authors note are “silent on what information should be contained in the notification. As a result, [security breach notification] letters vary greatly in the information provided, leaving consumers confused and businesses exposed. S.B. 24 fills this gap by establishing standard, core content for the notification letters, thereby ensuring the notifications actually work.” The amendments in S.B. 24 stem from a growing body of federal and California breach notification requirements.
- Section 1798.82. Prior to S.B. 24, Section 1798.82 required any person or business covered by the statute to disclose a breach of the security of the system to any California resident whose unencrypted personal information was, or was reasonably believed to have been, acquired by an unauthorized person.³ The law requires that disclosure be made using either written notice, electronic notice, or substitute notice, and in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement. Prior to S.B. 24, however, the law did not specify the information that notifications under Section 1798.82 must contain.
- S.B. 541. In addition, existing California law requires certain licensed healthcare facilities to provide notification if a patient’s medical information is accessed, used, or disclosed unlawfully or without authorization. S.B. 541 requires notification to be provided to the patient and to the Department of Public Health (“CDPH“) within five business days after the breach is detected, unless notification would impede law enforcement’s investigation of the incident. Failure to report within the reporting timeframe can result in fines of up to $100 per violation, per day for each calendar day beyond the five days that the facility failed to report the breach. S.B. 541 does not, however, specify the information that the notification must contain.4
- HITECH Act. Finally, existing federal law, the HITECH Act, requires HIPAA “covered entities,” such as healthcare providers, to notify a patient whose “unsecured protected health information” has been, or is reasonably believed to have been, accessed, acquired, or disclosed as a result of the breach. Unlike S.B. 541 and Section 1798.82, the regulations implementing the HITECH Act currently provide for a “harm analysis” in determining whether a breach has occurred; no breach notification is required if the covered entity determines that the acquisition, access, use, or disclosure of protected health information does not pose “a significant risk of financial, reputational, or other harm to the individual.” See 42 C.F.R. § 164.402. The HITECH Act requires that the notice of the breach include, to the extent possible, the following information: (1) a brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; (2) a description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, or disability code); (3) the steps individuals should take to protect themselves from potential harm resulting from the breach; (4) a brief description of what the covered entity involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches; and (5) contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address. 42 U.S.C. § 17932(f).
The attempt to align the amendments to Section 1798.82 with the HITECH Act provides some additional clarity regarding the information breach notifications must contain to comply with state law. However, even providers that comply with the HITECH Act’s substantive breach notification requirements will remain subject to Section 1798.82′s expanded reporting obligations to the Attorney General and the Office of Privacy Protection.
In addition, “business associates” under HIPAA will remain subject to the overlapping, but distinct, breach notification content requirements under both the HITECH Act and Section 1798.82, because business associates are not exempted under new Section 1798.82(e). Licensed health facilities subject to S.B. 541 reporting requirements will be subject to an additional layer of potentially overlapping breach notification requirements, and it is unclear whether a facility breach notification to CDPH that complies with the content requirements of the HITECH Act and/or Section 1798.82 will be viewed as sufficient for purposes of complying with S.B. 541.
Accordingly, despite the Legislature’s apparent attempt to coordinate Section 1798.82 with other federal and state laws, providers and business associates navigating breach notification issues remain subject to a patchwork of regulation and will need to ensure that breach notifications comply with the requirements of the HITECH Act, Section 1798.82, and S.B. 541, as applicable.
¹ The data elements include (1) Social Security number; (2) driver’s license number of California Identification Card number; (3) account number, (4) credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; (4) medical information (broadly defined as any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional); or (5) health insurance information.
² Section 1798.82 permits substitute notice in three circumstances: (1) if the cost of providing notice would exceed $250,000; (2) if the affected class of subject persons to be notified exceeds 500,000; or (3) if the person or business does not have sufficient contact information.
³ Section 1798.82 also requires that any person or business that maintains such data notify the owner or licensee of the information of any security breach immediately following discovery if the personal information was, or was reasonably believed to have been, acquired by an unauthorized person.
4 CDPH has, however, issued written guidance regarding recommended contents of S.B. 541 notifications. See Cal. Dept. Pub. Health, All Facilities Letter 09-03 (July 29, 2009) at p.2 (“When notifying the department, the facility should include the following information:  Date and time of reported incident;  Facility name;  Facility address/location;  Facility contact person;  Name of patient(s);  Name of the alleged violator(s);  General information about the circumstances surrounding the breach;  Any other information needed to make the determination for an onsite investigation”).