Just released: How to raise venture capital in 2023


Startups Beware! CA Breach Notification Laws Expanded


Key Takeaways

Carl Niedbala - Founder Shield
Carl Niedbala

COO & Co-Founder

The New CA Breach Notification Law

If you’re a tech startup, your duties to protect your users’ personal information just got a bit more onerous.  Last Friday (Sept 27th), Governor Jerry Brown signed a bill into law that expands the security/data breach notification requirements beyond their current spectrum.   Up until now, companies only had to notify users of a breach if they actually confirmed the loss of certain personal information, including identifier numbers (social security, driver’s license), credit card numbers, or certain medical/insurance information.  The folks at Fox Rothschild did a good job of breaking down the new law in this article, but we’ll just give you the absolute basics here:

  • The definition of “Personally Identifiable Information” (“PII”) has been expanded (again) to include much beyond the pieces of information listed above.  Essentially any combo of information that gives an outsider access to a user account qualifies.  Certain combinations of non-PII now count as PII as well, particularly if only some of the info is encrypted.
  • Users (CA residents) must be notified following any security breach when you know OR reasonably believe personal information was obtained by an unauthorized person.
  • Notifications must be made “in the most expedient time possible and without unreasonable delay” subject to exceptions for the needs of law enforcement.
  • Notifications must include a handful of standard information (how / when / what / why), but you’re allowed to include information about what you’re doing to correct the situation and how the user can protect his or herself.  If login information was taken, you can include directions on how to reset passwords and security questions.

What it means for your tech startup

While the new CA breach notification laws don’t change actual security requirements, this law obviously has some implications for your tech operations and infrastructure.  Depending on how your company/product is built, you may have to add an additional layer into your operations to deal with these new requirements.  And unfortunately its not quite as easy to automate something that can be based on a “reasonable belief.”

Keep in mind that this law protects CA residents, meaning that you don’t have to be a CA startup to full under its scope.  It’s a pretty safe bet that unless you’re beta testing in NYC or something, you’re going to have at least some users out west.  These infrastructure changes apply to basically everyone!

The change also opens you up to even more cyber liability in the form of “failure to inform” style lawsuits.  It’s unclear (at least to this writer) what counts as “unreasonable delay” for this law, and usually that definition will be hammered out during the first few painful notification-related court cases.  If you’re worried about your cyber exposure, read more here or reach out to us to get a quote any time.

Related Articles

cyber insurance pricing trends 2024
March 13 • Cyber Liability

Cyber Insurance Pricing Trends 2024

Uncertain about cyber insurance costs in 2024? Our article explores pricing trends, expert predictions on rate increases, and strategies to potentially reduce your cyber insurance premium.

cyber liability insurance premiums
March 4 • Cyber Liability

7 “Must Haves” For Cyber Liability Insurance in 2024

With cyber liability insurance premiums rising, business leaders must have the inside scoop to keep costs low. Our partners at Blacksmith InfoSec delve into those tips and tricks.

Cybersecurity Data Breaches
November 9 • Cyber Liability

Top 10 Cybersecurity Data Breaches of 2023

Today’s digital landscape is frightening for business leaders. Here’s a glimpse into some of the most cringe-worthy data breaches in 2023 — plus, how to avoid them.

Cyber Insurance Pricing Trends
July 19 • Cyber Liability

Cyber Insurance Pricing Trends 2023

After a hard-hit 2022, let’s explore the lessons learned, what currently impacts the cyber market, and cyber insurance pricing trends to expect in the future.

multi factor authentication
January 24 • Cyber Liability

Securing Your Company With Multi-Factor Authentication: A Complete Guide

Cybersecurity is a priority for most company leaders, with multi-factor authentication spearheading the endeavor. Here’s how to make it a reality in your organization.

October 6 • Cyber LiabilityRisk Management

Cybersecurity Awareness Month 2022 — Data, Data, Goose!

As the leaves turn golden and the wind blows colder, cybersecurity awareness month is upon us! Here’s what it’s all about and how your company can stay cyber-safe.