In April 2016, the Berkeley Unified School District issued a data breach notice when it inadvertently sent an electronic file to a news reporter (Bay Area News Group) that contained social security numbers. BUSD sent the file in response to an annual survey regarding employee salary and related payroll information. It addressed the breach as soon as it learned of the disclosure. Luckily, the reporter who received the information immediately notified the school about the disclosure, and the news group affirmed that it had destroyed the information upon the school's immediate request that it do so. Even in a scenario such as this, where there is no evidence that harm occurred as a result of the disclosure, schools that disclose sensitive "personal information" will be required to comply with notice obligations prescribed by California law.
The State of California requires a person or organization that conducts business in California to issue data breach notifications to California residents when the person or business discovers or receives notice that "unencrypted personal information" was, or is reasonably believed to have been, acquired by an unauthorized person. In accordance with California's Civil Code (section 1798.82 for businesses, section 1798.29 for state agencies), disclosure of personal information means the disclosure of an individual's first name or first initial and his or her last name, in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) a social security number, (2) a driver's license number or California identification card number, (3) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account, (4) medical information, (5) health insurance information, or (6) information or data collected through the use or operation of an automated license plate recognition system. Personal information also refers to a "username or email address" in combination with a password or security question and answer that would permit access to an online account. Personal information is considered "encrypted" when it is rendered "unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security."
Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. For example, executive pay listed in a private school's annual IRS return, would not be considered "personal information" requiring data breach notification.
Notices provided in response to a data breach must meet highly specific legal requirements. In accordance with the Civil Code, a security breach notice must be titled "Notice of Data Breach." The notice must contain the following information:
- the name and contact information of the reporting person or business;
- a list of the types of personal information that were or are reasonably believed to have been the subject of a breach;
- if known when providing the notice, the date of the breach, the estimated date of the breach, or the date range within which the breach occurred;
- the date of the notice;
- whether notification was delayed as a result of a law enforcement investigation;
- a general description of the breach;
- the toll-free numbers and addresses of the major credit reporting agencies if the breach exposed a social security number, or a driver's license or California identification card number; and
- if the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, must be provided at no cost to the affected person for not less than 12 months along with all information necessary to take advantage of the offer.
The required information must be provided under the specific headings: (1) "What Happened," (2) "What Information Was Involved," (3) "What We Are Doing," (4) "What You Can Do," and (5) "For More Information." The titles and headings of notices must be clear and conspicuous, presented in a format that calls attention to the nature and significance of the information contained therein, and the text of the notice must be at least 10-point type. Civil Code, section 1798.82, even provides a template for data breach notification.
Businesses providing data breach notice may also, at the business's discretion, provide additional information, such as what the business has done to protect individuals whose information has been breached and advice on steps people can take to protect themselves.
The timing of a data breach notice is also essential. A person or business is required to disclose the breach "in the most expedient time possible and without unreasonable delay." The only exception is for legitimate needs of law enforcement. If a law enforcement agency determines that the notification will impede a criminal investigation, the person or business may delay the notification. However, the person or business must still make the notification "promptly" after a law enforcement agency determines that the disclosure will not compromise the investigation.
Data breach notifications can be written or electronic. However, if provided electronically, it must be consistent with the legal requirements pertaining to electronic records and signatures set out in federal law. In lieu of written or electronic notice, a person or business can submit a "substitute notice" if the person or business can demonstrate that the cost of providing notice would exceed $250,000, or that there are more than 500,000 people affected, or that the person or business does not have sufficient contact information to provide notice. Substitute notice must still consist of (1) email notice, when the person or business has an email address for the subject person, (2) conspicuous posting of the notice, for a minimum of 30 days, on the school's website page, and notification to major statewide media.
Conspicuous posting on a website means that the school must provide a link to the notice on the home page or first significant page after entering the website. The link must be in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the link.
Finally, a person or business that is required to issue a security breach notification to more than 500 California residents as a result of a single breach of a security system must also electronically submit a sample copy of that security breach notification, excluding any personally identifiable information, to the State Attorney General. Information about submitting notification to the Attorney General, as well as a database of submitted breach notifications, is available online at https://oag.ca.gov/ecrime/databreach/reporting.
Your school must take appropriate and necessary steps to protect individuals, and their personal information, when a data breach occurs. In addition to the notice requirements provided by law, schools are encouraged to work with their data and technology vendors, risk managers, and legal counsel to help prevent, plan and prepare for, and respond to data breach incidents.