California law requires businesses and states agencies to notify individuals when their unencrypted data was in fact acquired by an unauthorized person, or if it is reasonable to believe that such a person has accessed the data. See, California Civil Code s. 1798.29(a) and California Civ. Code s. 1798.82(a). A breach involving the data of more than 500 California residents must be reported to the state attorney general. See the online form available here. The form itself should not include PII. The form is not covered by the provisions of the California Public Records Act which requires that law enforcement agencies disclose information if it would not jeopardize ongoing investigations.
The owner of the data must receive immediate notification of the breach. The actual, "Notice of Data Breach,” must be comprised of five sections:
1. What Happened
2. What Information Was Involved
3. What We Are Doing
4. What You Can Do
5. For More Information.
The statute itself includes a model form for businesses to use.
Businesses are required to indicate the estimated date of the breach if it is possible to reach a determination about when the breach occurred. If the business caused the breach it must offer theft prevention and mitigation services for 12 months. Personal information is defined as a person's name when used with any of the following:
1. Social security number
2. Driver's license number
3. Account number
4. Medical information
5. Health insurance information
6. Automated license plate recognition system information.