CALIFORNIA DATA BREACH/DATA SECURITY LAWS

California has four main data breach statutes; two of general applicability (the California Customer Records Act and the California Consumer Privacy Act of 2018/California Privacy Rights Act) and two narrowly focused on data breaches regarding medical information (the Confidentiality of Medical Information Act and Cal. Health & Safety Code Section 1280.15). Depending on the kind of data an organization maintains, the type of business, and the organization size, some or all of these laws will apply in the event of a data breach.

​

​

​

​

 

 

 

 

 

THE CALIFORNIA CUSTOMER RECORDS ACT

 

The California Customer Records Act (CRA)[1] sets out how customers’ personal information (PI) should be treated, and provides notification procedures that must be followed by businesses in the event of a data breach.[2] CRA violations may result in the imposition civil damages, penalties or injunction.[3] The obligations and rights provided for in the Act cannot be waived.[4]

 

Reasonable InfoSec Procedures Required 

 

Under Section 1798.81.5 of the CRA: 

 

A business that owns, licenses, or maintains personal information about a California resident

shall implement and maintain reasonable security procedures and practices appropriate to

the nature of the information, to protect the personal information from unauthorized access,

destruction, use, modification, or disclosure.[5]

 

The Act does not specify what constitutes “reasonable security procedures and practices,” except to say that they must be “appropriate to the nature of the information.” While this lack of a defined InfoSec standard may present challenges to organizations looking for compliance certainty, it also presents an opportunity. The generally described requirement allows covered businesses to choose a compliance strategy that works best for protecting their data under their particular circumstances.

 

Whether through compliance with ISO 27001 & 27002, the NIST framework, CIS Critical Security Controls, or some other program that addresses an organization’s unique needs, the CRA allows for any number of ways to achieve compliance with Section 1798.81.5 as long as it is appropriate to the nature of the information and is designed to protect customer PI from unauthorized access, destruction, use, modification, or disclosure. It bears noting, however, that the closer a business’ InfoSec compliance program matches an established standard, the better that program is likely to withstand a challenge under the Act.[6]

 

Who Must Comply with the CRA?

​

The term “business” used in the CRA includes everything from a sole proprietorship to a public corporation, however organized.[7] Non-profits are covered as well.[8]  Moreover, unlike the California Consumer Privacy Act of 2018 or Proposition 65, there is no minimum number of employees nor revenue threshold before this section of the CRA applies.[9] However, there are some types of organizations that are exempt, typically because they are subject to other comprehensive federal or state laws with extensive InfoSec requirements.

 

Businesses Exempt from CRA InfoSec Requirements:

 

1. A provider of health care, health care service plan, or contractor regulated by the California Medical Information Act;

2. A financial institution subject to the California Financial Information Privacy Act;

3. A covered entity governed by the medical privacy and security rules issued (HIPAA);

4. An entity that obtains information under an agreement the Vehicle Code and is subject to the confidentiality requirements of the Vehicle Code; and

5. A business that is regulated by state or federal law providing greater protection to personal information than that provided by this section of the CRA.[10]

 

What Information is Covered by the CRA Security Law?

 

The CRA contains a definition of “personal information” that is quite broad, including any information that identifies, relates to, describes, or is capable of being associated with, a particular individual.[11] However, the information covered under the InfoSec requirements of the Act is far more limited, encompassing only a small subsection of data which is otherwise thought of as personally identifiable information in other statutes or international regulations. 

 

The CRA’s Information Security Requirement Only Applies to: 

 

(A) An individual’s first name or first initial and the individual’s last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:  

 

1. Social security number;

2. Driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual; 

3. Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account;  

4. Medical information;  

5. Health insurance information;

6. Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes; or

7. Genetic data.  

 

(B) A username or email address in combination with a password or security question and answer that would permit access to an online account. [12]

 

Courts have sometimes referred to this smaller subset of personal data as “sensitive information.”[13] Only breach of this sensitive information can be the basis for civil lawsuit under the CRA.[14] Even if the information qualifies as “sensitive,” it cannot be the basis for a lawsuit if it is publicly available. The Act specifically excludes publicly available information that is lawfully made available to the general public from government records from its definition of Personal Information.[15]  

 

When qualifying customer PI has been compromised due to a failure to comply with the requirements of the CRA security law, an organization is vulnerable to civil lawsuits for damages and injunctive relief, as explained in more detail here. [internal link]
 

The CRA Data Breach Notification Law

 

In the event that a business finds itself with breach of its security system that causes its California customers’ personal data to be acquired by an unauthorized person, the CRA’s data breach notification law requires affected California residents be notified promptly (along with the California Office of the Attorney General, if the breach affects more than 500 Californians).[16]

​

​

​

​

​

​

​

​

 

 

 

 

 

 

 

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

How is the Customer Records Act Enforced?

 

The CRA enforcement provisions are found in Section 1798.84 of the Act. Any California customer who has been injured by a business violating the CRA may bring a civil suit for damages, penalties, and injunctive relief.[27]Additionally, the CRA specifically provides that these rights are cumulative to any other rights or remedies available under the law.[28] This would include claims under, for example, California’s Unfair Competition Law (California Business and Professions Code § 17200 et seq.) and California’s Consumer Legal Remedies Act (California Civil Code § 1750 et seq.).

 

Only customers are permitted to sue under the CRA.[29] A “customer” is defined under that statute as “individual who provides personal information to a business for the purpose of purchasing or leasing a product or obtaining a service from the business.”[30] Thus, neither competitors nor employees may bring a lawsuit under the CRA, even if they have had their PI disclosed in a data breach.[31]

 

Additionally, any would-be litigant must have incurred some injuries or damages in order to maintain a data breach lawsuit under the CRA.[32] Those injuries are typically (1) increased risk of future harm; (2) cost to mitigate the risk of future harm; and/or (3) loss of the value of the product or service that was purchased.[33] With respect to risk of future harm, courts have found an actionable increased risk of harm when PI has been stolen by cyber criminals, when some portion of the data has been released or sold on the Internet, and when some individuals have already been the victim of identity theft which can be related back to the data breach in question.[34] For example, in In re Adobe Systems, Inc. Privacy Litigation, the court found that customers had plausibly alleged a “substantial risk of harm” stemming from a data breach where hackers accessed customer PI and had decrypted customer credit card numbers using Adobe systems, some of the stolen data had already surfaced on the Internet, and some PI had been misused by others.[35]

 

When there is a credible threat of real and immediate harm, or impending injury, mitigation costs incurred by customers, including costs associated with credit monitoring, password protection, freezing/unfreezing of credit, obtaining credit reports, and penalties resulting from frozen credit can all support compensable injuries under the Act.[36] General allegations of lost time dealing with a data breach have been found too speculative to constitute cognizable injury.[37]

Customers whose PI has been disclosed in data breach may also sue for any damages incurred as a result of a business’ failure to comply with the data breach notification requirements set out in Section 1798.82. However, for these suits are likely to be unsuccessful unless a customer can prove that they suffered harm due to a failure pertaining to the notice provisions, as opposed to the data breach itself. For example, if plaintiff customers allege that they were not notified of data breach “in the most expedient time possible and without unreasonable delay,” they must prove the harm they suffered was as a result of the delay in notification, as opposed to the harm from the data breach itself.[38]

 

 

California Consumer Privacy Act of 2018 

 

The latest state law addition to the California’s data breach laws, the California Consumer Privacy Act of 2018 (CCPA) / California Privacy Rights Act (CPRA) is a comprehensive privacy law that imposes a variety of compliance requirements on businesses that collect and process the personal information of California consumers.[39] To learn more about CCPA/CPRA compliance click here. 

 

Data Breach Notification Under the CCPA/CPRA

 

With respect to data breach notification, the CCPA/CPRA piggybacks on the California Customer Rights Act (CRA). The CCPA adds a private right of action for any consumer whose Personal Information (PI) falls into the special categories set forth in Section 1798.81.5(d)(A)(1) of the CRA (see above).[40] Specifically, the CCPA states that:

 

Any consumer whose nonencrypted and nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, or whose email address in combination with a password or security question and answer that would permit access to the account is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action [. . . ][41]

 

No theft or exfiltration is required in order to plead a plausible violation of the CCPA, a disclosure is sufficient.[42]

 

Differences Between the Data Breach Provisions of the CCPA and the CRA

Both the CCPA and the CRA impose InfoSec requirements in the collection, transfer, destruction, and maintenance of PI. Failure to comply with those requirements can lead to liability under both laws. However, there are some important differences between the two statutory schemes.

 

Who Can Sue for a Data Breach Under the CCPA Versus the CRA

 

The CCPA is broader than the CRA because it is not confined to “customer” PI, instead it covers “consumer” PI.[43] While the two words are often used interchangeably in common parlance, in these statutes they have critical differences in their meanings. As noted above, “customer” under the CRA, excludes employees as they do not provide personal information for the purpose of purchasing a good or service from a business. In contrast, “consumer” under the CCPA means “a natural person who is a California resident.”[44] This includes employees, job applicants, independent contractors, and anyone else who is a California resident. Thus, while employees of a business cannot maintain a data breach suit under the CRA, they may do so under the CCPA, increasing businesses’ potential liability.

 

Who Must Comply with the CCPA Versus the CRA

 

While the CCPA expands the categories of individuals who can sue for a data breach, there are far fewer businesses that fall within the ambit of the law. The CCPA has some significant thresholds that must be met before the law applies to a business. The business must operate for profit[45] and meet at least one of the following:

1. Have annual gross revenues over $25 million,[46]

2. annually buy, receive, sell, or share (in combination) the PI of at least 100,000 consumers or households,[47]

3. derive 50% or more of its annual revenues from selling or sharing consumer PI.[48]

​

How is the CCPA Enforced?

​

The California Privacy Protection Agency (CPPA) is the primary enforcer of the CCPA.[49] Businesses face administrative fines, injunctions and civil penalties of up to $2,500 per violation and $7,500 for each intentional violation.[50]

Consumers can bring actions for data breaches caused by a business’s failure to implement and maintain reasonable security procedures and practices on an individual or class-wide basis.[51] Consumers can recover statutory damages of $100 to $750 per consumer per incident or actual damages, whichever is greater, injunctive relief, and other relief as determined by the court.[52] Statutory damages are assessed by considering the relevant circumstances of the case, including:

• the nature and seriousness of the misconduct, 

• the number of violations, 

• the persistence of the misconduct, 

• the length of time over which the misconduct occurred, 

• the willfulness of the defendant’s misconduct, 

• and the defendant’s assets, liabilities, and net worth.[53]  
   

Businesses are entitled to 30 days notice of noncompliance before any action by a private plaintiff seeking statutory damages.[54] No notice is required for a private plaintiff suing for actual monetary damages, as opposed to statutorily set amounts, due to a data breach.[55] Nor is any notice required before an action for enforcement brought by the government.

​

If a cure is possible, and if a business cures a noticed violation and provides an express written statement to the consumer that the violations have been cured and no further violations will occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the business.[56] Note that if a business chooses to provide this written statement, it can be used as the basis for a subsequent lawsuit for failure to comply with the statement, leaving the business vulnerable to an action for statutory damages for each breach of the express written statement, as well as any other violations that postdate the written statement.[57]  

 

MEDICAL INFORMATION 

Medical information is universally recognized as a sensitive type of PI deserving of special care. In addition to data breach laws of general application, California has two state laws that cover the disclosure of medical information specifically.

CONFIDENTIALITY OF MEDICAL INFORMATION ACT

 

The Confidentiality of Medical Information Act (CMIA)[58] has two provisions that most commonly trigger medical data InfoSec compliance planning. The first, Section 56.10, requires health care providers obtain prior authorization before disclosing patient medical information.[59] The second, Section 56.101, provides for remedies and penalties to be levied against health care providers who negligently handle medical information causing the loss of its confidentiality.[60]

 

What Information is Protected Under the CMIA?

 

The CMIA’s InfoSec sections apply to “medical information.” Medical information is defined by the Act as:

 

any individually identifiable information, in electronic or physical form, in possession of or

derived from a provider of health care, health care service plan, pharmaceutical company,

or contractor regarding a patient’s medical history, mental health application information,

reproductive or sexual health application information, mental or physical condition, or treatment. 

 

“Individually identifiable” means that the medical information includes or contains any

element of personal identifying information sufficient to allow identification of the individual,

such as the patient’s name, address, electronic mail address, telephone number, or social

security number, or other information that, alone or in combination with other publicly

available information, reveals the identity of the individual.[61]

 

Breaking that down, the definition encompasses a wide swath of data.  

 

1. Data in either electronic or paper form

2. Data in the possession of a health care provider (or other health-related companies)

3. Data derived from a health care provider (or other health-related companies)

4. Data about an individual’s medical history, mental, or physical condition

5. Data from a mental health, reproductive or sexual health app

6. Data can be about an individual’s treatment for a mental or physical condition

 

Deidentified data would not seem to be included as “medical information.” However, pay careful attention to the entire definition of “individually identifiable.” If the health related information contains any details that would reveal an individual’s identity, even in combination with other publicly available information, it is considered “medical information” governed by the CMIA. So partial names, truncated phone numbers, or any other semi-revealing identifiers may unexpectedly bring health information within the Act’s purview.

 

Additionally, given the broad wording of the Act, some areas of business not traditionally thought of as maintaining medical information, like weight loss apps, exercise studios, fitness websites, and mood trackers, may all be considered in possession of “medical information” within the scope of the CMIA.

 

Who Must Comply?

 

Both sections of the CMIA that create InfoSec obligations (§§ 56.10 and 56.101) apply to providers of health care, health care service plans and contractors that either disclose medical information regarding a patient (§56.10(a)) or that collect and store medical information (§ 56.101). With respect to the maintenance of medical records, Section 101 additionally applies to pharmaceutical companies.[62]

 

The definition of “provider of health care” deserves special attention. Broader than those entities covered under HIPAA, under the CMIA a “provider of health care” includes any business that offers software or hardware to consumers, including web or mobile apps that maintain medical information.[63] Additionally, the CMIA applies to businesses that receive medical information.[64] Given the breadth of the phrase “medical information” in the Act (discussed above) this brings many additional businesses within the ambit of the CMIA that are not limited by the restrictions imposed by HIPAA.

 

What Conduct is Proscribed?

 

         Nono-Disclosure Under Section 56.10

 

Section 56.10(a) of the CMIA provides that 

 

a provider of health care, health care service plan, or contractor shall not disclose medical

information regarding a patient of the provider of health care or an enrollee or subscriber

of a health care service plan without first obtaining an authorization [. . . ].

 

There are many exceptions to this nondisclosure rule.[65] For example, medical information can be disclosed in legal proceedings,[66] for billing,[67] and for determining benefits under employee plans.[68] Additionally, both federal and state courts in California have held that a violation of section 56.10(a) requires an “affirmative communicative act” by the business alleged to have improperly disclosed medical information.[69] This limitation means that medical data disclosed due to a data breach, cyber theft or other accidental posting in a public forum, should not give rise to a viable CMIA claim under this section.[70]

 

Competent Information Security Processes For Handling of Confidential Medical Information Under Section 56.101

 

Section 56.101(a) requires that:

 

Every provider of health care, health care service plan, pharmaceutical company, or

contractor who creates, maintains, preserves, stores, abandons, destroys, or disposes

of medical information shall do so in a manner that preserves the confidentiality of

the information contained therein. 

 

Any provider of health care, health care service plan, pharmaceutical company, or

contractor who negligently creates, maintains, preserves, stores, abandons, destroys,

or disposes of medical information shall be subject to the remedies and penalties

provided under subdivisions (b) and (c) of Section 56.36.[71]
 

With a different focus than Section 56.10, Section 56.101 creates a duty to preserve the confidentiality medical information maintained by health care providers and related companies. If this information is maintained in a negligent manner that destroys its confidentiality, the business responsible is subject to damages and penalties.

 

Unlike Section 56.10, no affirmative act is required to support of violation of section 56.101(a).[72] Thus, data breaches caused by hackers, ransomware, and mistake are all actionable as violations of this provision of the CMIA.[73] However, there other limits to those data breaches which may be pursued under the Act. The most successful defense being that, even if there were a data breach, no unauthorized person has viewed the information.[74] Mere possession of the confidential information is insufficient.[75] To prevail under this provision, a patient must prove that the confidentiality of their records was breached because an unauthorized person has actually viewed or accessed the information or records.[76]

 

How is the CMIA Enforced?

 

The CMIA contains a private right of action for any individual whose confidential medical information or records has been negligently released.[77] Individuals may seek nominal damages of $1,000 for the breach, even if they have not suffered or been threatened with actual damages.[78] Individuals may also seek the actual amount of monetary damages they may have incurred due to the breach.[79]

 

Nominal damages can be avoided if a business establishes all of the following:

 

1. the business is a covered entity or business associate under HIPAA

2. the business notified, if required, all persons entitled to receive notice regarding the release of the information or records

3. The release of confidential information or records was solely to another covered entity or business associate

4. No medical identity theft was involved

5. The business took appropriate preventive actions to protect the confidential information or records against release consistent with the CMIA, HIPAA and HIPAA regulations (with specific requirements set out in the statute)

6. The business took reasonable and appropriate corrective action after the release of the confidential information, and the records were destroyed or returned in the most expedient time possible and without unreasonable delay, unless the business shows that the technology used prevented the return or destruction of the records.

7. The records were not retained, used, or released by the covered entity that received them. 

8. The business took reasonable and appropriate steps to prevent a future similar release of confidential information.

9. The business has not previously used this affirmative defense, or a court determines that the affirmative defense is compelling and consistent with the purposes of this section to promote reasonable conduct in light of all the facts.[80]  

 

In addition, a court must consider whether it is equitable to allow a business to avoid paying the nominal damages for its breach considering, among other things, whether the business has previously violated section 56.101, and the nature of the prior violation.[81] Even if a business escapes paying nominal damages based on the above factors, an affected individual is still entitled to recover reasonable attorney’s fees and costs, without regard to the damages awarded or the imposition of fines or penalties.[82]

 

Separate from any action for civil damages, if a business’ disclosure of confidential medical information or negligent handling of medical records results in economic loss or personal injury to patient, the violation is punishable as a misdemeanor.[83] The Attorney General, and other state and local officials may bring actions against violating businesses for civil penalties.[84] A business can also be liable for an administrative fine or civil penalty of up to $2,500 per violation, irrespective of the amount of damages suffered by the patient.[85] If a person or entity willfully obtains, discloses, or uses medical information in violation of the CMIA, penalties can be levied of up to $25,000 per violation, depending on the situation.[86] If the violation was willful and done for financial gain, penalties can go as high as $250,000 per violation.[87]

 

Federal courts in California have found that pleading violations of the CMIA, even when no monetary damages are suffered or threatened, is sufficient to establish a concrete injury to allow affected individuals to proceed in federal court.[88] Courts are divided about whether time spent monitoring one’s credit and other tasks associated with responding to data breaches are concrete, non-speculative injuries.[89] But some courts have inferred that theft of medical information is primarily financially motivated and realized through identity theft or other forms of fraud.[90]

 

DATA BREACH NOTIFICATION FOR HEALTH FACILITIES

 

California clinics, health facilities, home health agencies and hospice programs have unique data breach notification requirements under California Health and Safety Code Section 1280.15. The statute provides that these entities must prevent unlawful or unauthorized access to, and use or disclosure of, patients’ medical information.[91] “Medical information” is defined broadly by incorporating the same definition used by the CMIA (see above).[92]

 

A medical information data breach under this law excludes:

 

1. Inadvertently misdirected internal records within the same facility or health care system to coordinate care or deliver services, where the information is not further accessed, used, or disclosed unless permitted or required by law. 

2. Inadvertently misdirected records sent to an outside HIPAA covered entity in the course of coordinating care or delivering patient services.[93]

3. A disclosure in which a health care facility or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such medical information.[94]  

4. Any disclosure of medical information permitted or required by law.[95]

5. Any lost or stolen encrypted electronic data containing a patient’s medical   information where the encrypted electronic data has not been accessed, used, or disclosed in an unlawful or unauthorized manner.[96]

 

Any lost or stolen electronic data containing a patient’s medical information that is in any way created, kept, or maintained by a health care facility that is not encrypted shall be presumed a breach unless it is excluded as “low risk.” A disclosure is determined to have a low probability that medical information has been compromised based on at least the following:

1. The medical information involved, including the types of identifiers and the likelihood of re-identification;[97]  

2. The unauthorized person who used the medical information or to whom the   disclosure was made;[98]  

3. Whether the medical information was actually acquired or viewed;[99] and  

4. The extent to which the risk of access to the medical information has been   mitigated.[100]  

 

Violation of Section 1280.15(a) may result in an administrative penalty of up to $25,000 per patient and up to $17,500 per subsequent occurrence. For purposes of investigating the amount of the administrative penalty, the California Department of Public Health shall consider:

 

1. The entity’s history of compliance with this InfoSec requirement and other related laws and regulations;

2. The extent to which the facility detected violations and took preventative action to immediately correct and prevent past violations from reoccurring; 

3. Any factors that restricted the facility’s ability to comply with this security requirement that were outside of its control.[101]

 

If one of these entities has a data breach (defined as any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information), it must report the breach no later than 15 days after the breach has been detected by it.[102] The business must also report the breach to patients within that same 15 days at their last known addresses, or by email if they have previously agreed to receive electronic notice by email.[103]

 

Reporting the data breach can be delayed 30 days on oral request by a law enforcement agency and up to 60 days on written request, to allow for its investigation to be conducted unimpeded. The delay request may be extended an additional 60 days on written declaration.[104]

 

If a facility fails to report the breach within the required deadline, the Department of Public Health may assess a penalty of $100 for each day beyond the deadline, with a maximum penalty of $250,000.[105] There is a dispute process and resolution procedure built into the Act.[106]

 

 

_____________________________________________

[1] California Civil Code § 1798.80, et seq.

[2] In re Solara Medical Supplies LLC Customer Data Security Breach Litigation, 613 F.Supp.3d1284, 1300 (S.D. Cal. 2020).

[3] Cal. Civil Code §§1798.84(b)-(e).  

[4] Cal. Civil Code § 1798.84(a).

[5] Cal. Civ. Code § 1798.81.5(b).

[6] See, e.g., Dugas v. Starwood Hotels & Resorts Worldwide, Inc., Case No. 3:16-cv-00014-GPC-BLM (S.D. Cal. 2016)(finding the plaintiff had sufficiently alleged a violation of § 1798.81.5 of the CRA for failure to employ reasonable security measures to protect such PI, such as the utilization of industry-standard encryption).

[7] Cal. Civ. Code § 1798.80(a).

[8] Id.

[9] Compare Cal. Civ. Code § 1798.83(c)(1) (exempting businesses with under 20 full employees from informing customers about the disclosure of their PI to other businesses for direct marketing purposes) with § 1798.81.5(b) (containing no such limitation).

[10] Cal. Civ. Code § 1798.81.5(e).

[11] Cal. Civ. Code § 1798.80(e).

[12] Cal. Civ. Code § 1798.81.5(d)(1).

[13] See, e.g., Corona v. Sony Pictures Entertainment, Inc., 2015 WL 3916744, * 4 (C.D. Cal. 2015). Cf., Rahman v. Marriott International, Inc., 2021 WL 346421, * 2 (C.D. Cal. 2021); Mehta v. Robinhood Financial, LLC., 2021 WL 6882377, *6 (N.D. Cal. 2021).

[14] Rahman, 2021 WL 36421 at *2.

[15] Cal. Civ. Code § 1798.81.5(d)(4).

[16] Cal. Civ. Code §§ 1798.82(a) & (f).

[17] Cal. Civ. Code § 1798.82(a).

[18] Cal. Civ. Code § 1798.82(g).

[19] Cal. Civ. Code §§ 1798.82(a) & (b).

[20] Cal. Civ. Code §§ 1798.82(a) & (f).

[21] Cal. Civ. Code §§ 1798.82(a) & (c).

[22] Cal. Civ. Code § 1798.82(h). For purposes of this section, personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. § 1798.82(i)(1).

[23] Cal. Civ. Code § 1798.82(j).

[24] Cal. Civil Code Section 1798.82(d)(2).

[25] Cal. Civil Code § 1798.82(d). Additional formatting requirements for readability are found in § 1798.82(d)(1)(A)-(D).

[26] Cal. Civil Code § 1798.82(e).

[27] Cal. Civil Code §§ 1798.84(b), (c) & (e). However, the penalties available under the CRA only apply to a violations of Section 1798.83 related to disclosure of customer PI to third parties for use in direct marketing.

[28] Cal. Civil Code § 1798.84(h).

[29] Corona, 2015 WL 3916744 at *7. 

[30] Cal. Civil Code § 1798.80(c).

[31] See Corona, 2015 WL 3916744 at *7.

[32] See Cal. Civil Code §§ 1798.84(b). See also In re Adobe Systems, Inc. Privacy Litigation, 66 F.Supp.3d 1197, 1218 (N.D. Cal. 2014). This is often referred to as a “statutory standing requirement.”

[33] See Adobe 66 F.Supp.3d at 1211.

[34] See, e.g., Adobe, 66 F.Supp.3d at 1215, 1217; In re Yahoo! Inc. Customer Data Security Breach Litigation, 313 F.Supp.3d 1113, 1143 (N.D. Cal. 2018).

[35] Adobe, 66 F.Supp.3d at 1206, 1215, & 1217.

[36] Cf., Corona, 2015 WL 3916744 at *4-*5 (in the context of a negligence claim, CRA claim dismissed on other grounds).

[37] Id. at *4.

[38] Solara, 613 F.Supp.3d at 1300; Dugas, 3:16-cv-00014-GPC-BLM at *7. See also In Re Sony Gaming Networks & Customer Data Security Breach Litigation, 996 F.Supp.2d 942, 1010 (S.D. Cal. 2014).

[39] Cal. Civ. Code §§ 1798.100-.199.100.

[40] Cal. Civ. Code § 1798.150. 

[41] Cal. Civ. Code § 1798.150(a)(1).

[42] Stasi v. Inmediata Health Group Corp., 501 F.Supp.3d 898, 924 (S.D. Cal. 2020).

[43] Compare, Cal. Civ. Code § 1798.80(c) (“customer”) with Cal. Civ. Code § 1798.150(a) (“consumer”).

[44] Cal. Civ. Code § 1798.140(i).

[45] Cal. Civ. Code § 1798.140(d)(1).

[46] Cal. Civ. Code § 1798.140(d)(1)(A). Calculated from the preceding full calendar year. This threshold is not limited to revenue from California consumers. See Final Statement of Reasons Update of Initial Statement of Reasons for 11 C.C.R. §§ 999.300 et. seq. (hereinafter “FSOR”).

[47] Cal. Civ. Code § 1798.140(d)(1)(B). See also § 1798.140(q)(definition of “household”).

[48] Cal. Civ. Code § 1798.140(d)(1)(C).  

[49] Compare, Cal. Civ. Code § 1798.155 with § 1798.150. The Attorney General may file civil enforcement suits as well. Cal. Civ. Code § 1798.199.90(a).

[50] Cal. Civ. Code § 1798.155(a).

[51] Cal. Civ. Code § 1798.150.

[52] Cal. Civ. Code §§ 1798.150(a)(1)(A)-(C).

[53] Cal. Civ. Code § 1798.150(a)(1)(C)(2).

[54] Cal. Civ. Code § 1798.150(b).

[55] Cal. Civ. Code § 1798.150(b).

[56] Id.

[57] Id.

[58] Cal. Civ. Code §§ 56-56.37.

[59] Cal. Civ. Code § 56.10(a).

[60] Cal. Civ. Code § 56.101(a).

[61] Cal. Civ. Code § 56.05(j).

[62] Cal. Civ. Code § 56.101(a).

[63] See Cal. Civ. Code § 56.06(b).

[64] See Cal. Civ. Code § 56.10(e).

[65] See Cal. Civ. Code §§ 56.10(b) & (c).

[66] Cal. Civ. Code §§ 56.10(b)(1)-(5).

[67] Cal. Civ. Code §§ 56.10(c)(2) & (3).

[68] Cal. Civ. Code § 56.10(c)(21).

[69] Sutter Health v. Superior Court, 227 Cal.App.4th 1546, 1556 (2014); see also Regents of Univ. of Cal. v. Sup. Court, 220 Cal.App.4th 549, 564 (2013); Stasi, 501 F.Supp.3d at 922.

[70] See, e.g., Stasi, 501 F.Supp.3d at 922 (finding that an “errant webpage setting” that causes medical information to be disclosed on the internet, done without intent to communicate that information, could not support a violation of CMIA Section 56.10).

[71] Cal. Civ. Code § 56.101(a).

[72] Regents, 220 Cal.App.4th at 553-54; Corona, 2015 WL 3916744 at *7; Sutter, 227 Cal.App.4th at 1554; Stasi, 501 F.Supp.3d at 923; Solara, 613 F.Supp.3d at 1299.

[73] See, e.g., Solara, 613 F.Supp.3d at 1293 (cyber security incident); Sutter, 227 Cal.App.4th at 1552 (stolen hard drive); Corona, 2015 WL 3916744 at *1 (cyber-attack).

[74] See Sutter, 227 Cal.App.4th at 1558.

[75] Id. at 1557; Regents, 220 Cal.App.4th at 570.

[76] See Sutter, 227 Cal.App.4th at 1550; Regents, 220 Cal.App.4th at 554; Stasi, 501 F.Supp.3d at 923.

[77] Cal. Civ. Code § 56.36(b).

[78] Id.

[79] Cal. Civ. Code § 56.36(b)(2).

[80] Cal. Civ. Code § 56.36(e).

[81] Cal. Civ. Code § 56.36(e)(3).

[82] Cal. Civ. Code § 56.36(e)(4).

[83] Cal. Civ. Code § 56.36(a).

[84] Cal. Civ. Code § 56.36(f)(1).

[85] Cal. Civ. Code § 56.36(c)(1).

[86] Cal. Civ. Code § 56.36(c)(2).

[87] Cal. Civ. Code § 56.36(c)(3). Knowingly and willfully receiving confidential medical information in violation of the CMIA also can result in a civil penalty of up to $250,000. Cal. Civ. Code § 56.36(c)(5).

[88] See, e.g., Stasi, 501 F.Supp.3d at 911.

[89] Compare Stasi, 501 F.Supp.3d at 917 with Corona, 2015 WL 3916744 at *4.

[90] See Stasi, 501 F.Supp.3d at 916.

[91] See Cal. Health & Safety Code § 1280.15(a).

[92] Id.

[93] 22 CCR 79901(b)(1)(B).

[94] 22 CCR 79901(b)(1)(C).

[95] 22 CCR 79901(b)(1)(D).

[96] 22 CCR 79901(b)(1)(E).

[97] 22 CCR 79901(b)(1)(F)(i).

[98] 22 CCR 79901(b)(1)(F)(ii).

[99] 22 CCR 79901(b)(1)(F)(iii).

[100] 22 CCR 79901(b)(1)(F)(iv).

[101] Cal. Health & Safety Code § 1280.15(a).

[102] Cal. Health & Safety Code § 1280.15(b)(1).

[103] Cal. Health & Safety Code § 1280.15(b)(2).

[104] Cal. Health & Safety Code § 1280.15(c)(1).

[105] Cal. Health & Safety Code § 1280.15(d).

[106] See Cal. Health & Safety Code §§ 1280.15(g) & (h).