1798.25. Each agency shall keep an accurate accounting of the date,
nature, and purpose of each disclosure of a record made pursuant to
subdivision (i), (k), (l), (o), or (p) of Section 1798.24. This
accounting shall also be required for disclosures made pursuant to
subdivision (e) or (f) of Section 1798.24 unless notice of the type
of disclosure has been provided pursuant to Sections 1798.9 and
1798.10. The accounting shall also include the name, title, and
business address of the person or agency to whom the disclosure was
made. For the purpose of an accounting of a disclosure made under
subdivision (o) of Section 1798.24, it shall be sufficient for a law
enforcement or regulatory agency to record the date of disclosure,
the law enforcement or regulatory agency requesting the disclosure,
and whether the purpose of the disclosure is for an investigation of
unlawful activity under the jurisdiction of the requesting agency, or
for licensing, certification, or regulatory purposes by that agency.
Routine disclosures of information pertaining to crimes,
offenders, and suspected offenders to law enforcement or regulatory
agencies of federal, state, and local government shall be deemed to
be disclosures pursuant to subdivision (e) of Section 1798.24 for the
purpose of meeting this requirement.
1798.26. With respect to the sale of information concerning the
registration of any vehicle or the sale of information from the files
of drivers' licenses, the Department of Motor Vehicles shall, by
regulation, establish administrative procedures under which any
person making a request for information shall be required to identify
himself or herself and state the reason for making the request.
These procedures shall provide for the verification of the name and
address of the person making a request for the information and the
department may require the person to produce the information as it
determines is necessary in order to ensure that the name and address
of the person are his or her true name and address. These procedures
may provide for a 10-day delay in the release of the requested
information. These procedures shall also provide for notification to
the person to whom the information primarily relates, as to what
information was provided and to whom it was provided. The department
shall, by regulation, establish a reasonable period of time for which
a record of all the foregoing shall be maintained.
The procedures required by this subdivision do not apply to any
governmental entity, any person who has applied for and has been
issued a requester code by the department, or any court of competent
jurisdiction.
1798.27. Each agency shall retain the accounting made pursuant to
Section 1798.25 for at least three years after the disclosure for
which the accounting is made, or until the record is destroyed,
whichever is shorter.
Nothing in this section shall be construed to require retention of
the original documents for a three-year period, providing that the
agency can otherwise comply with the requirements of this section.
1798.28. Each agency, after July 1, 1978, shall inform any person
or agency to whom a record containing personal information has been
disclosed during the preceding three years of any correction of an
error or notation of dispute made pursuant to Sections 1798.35 and
1798.36 if (1) an accounting of the disclosure is required by Section
1798.25 or 1798.26, and the accounting has not been destroyed
pursuant to Section 1798.27, or (2) the information provides the name
of the person or agency to whom the disclosure was made, or (3) the
person who is the subject of the disclosed record provides the name
of the person or agency to whom the information was disclosed.
1798.29. (a) Any agency that owns or licenses computerized data
that includes personal information shall disclose any breach of the
security of the system following discovery or notification of the
breach in the security of the data to any resident of California
whose unencrypted personal information was, or is reasonably believed
to have been, acquired by an unauthorized person. The disclosure
shall be made in the most expedient time possible and without
unreasonable delay, consistent with the legitimate needs of law
enforcement, as provided in subdivision (c), or any measures
necessary to determine the scope of the breach and restore the
reasonable integrity of the data system.
(b) Any agency that maintains computerized data that includes
personal information that the agency does not own shall notify the
owner or licensee of the information of any breach of the security of
the data immediately following discovery, if the personal
information was, or is reasonably believed to have been, acquired by
an unauthorized person.
(c) The notification required by this section may be delayed if a
law enforcement agency determines that the notification will impede a
criminal investigation. The notification required by this section
shall be made after the law enforcement agency determines that it
will not compromise the investigation.
(d) For purposes of this section, "breach of the security of the
system" means unauthorized acquisition of computerized data that
compromises the security, confidentiality, or integrity of personal
information maintained by the agency. Good faith acquisition of
personal information by an employee or agent of the agency for the
purposes of the agency is not a breach of the security of the system,
provided that the personal information is not used or subject to
further unauthorized disclosure.
(e) For purposes of this section, "personal information" means an
individual's first name or first initial and last name in combination
with any one or more of the following data elements, when either the
name or the data elements are not encrypted:
(1) Social security number.
(2) Driver's license number or California Identification Card
number.
(3) Account number, credit or debit card number, in combination
with any required security code, access code, or password that would
permit access to an individual's financial account.
(4) Medical information.
(5) Health insurance information.
(f) (1) For purposes of this section, "personal information" does
not include publicly available information that is lawfully made
available to the general public from federal, state, or local
government records.
(2) For purposes of this section, "medical information" means any
information regarding an individual's medical history, mental or
physical condition, or medical treatment or diagnosis by a health
care professional.
(3) For purposes of this section, "health insurance information"
means an individual's health insurance policy number or subscriber
identification number, any unique identifier used by a health insurer
to identify the individual, or any information in an individual's
application and claims history, including any appeals records.
(g) For purposes of this section, "notice" may be provided by one
of the following methods:
(1) Written notice.
(2) Electronic notice, if the notice provided is consistent with
the provisions regarding electronic records and signatures set forth
in Section 7001 of Title 15 of the United States Code.
(3) Substitute notice, if the agency demonstrates that the cost of
providing notice would exceed two hundred fifty thousand dollars
($250,000), or that the affected class of subject persons to be
notified exceeds 500,000, or the agency does not have sufficient
contact information. Substitute notice shall consist of all of the
following:
(A) E-mail notice when the agency has an e-mail address for the
subject persons.
(B) Conspicuous posting of the notice on the agency's Web site
page, if the agency maintains one.
(C) Notification to major statewide media.
(h) Notwithstanding subdivision (g), an agency that maintains its
own notification procedures as part of an information security policy
for the treatment of personal information and is otherwise
consistent with the timing requirements of this part shall be deemed
to be in compliance with the notification requirements of this
section if it notifies subject persons in accordance with its
policies in the event of a breach of security of the system.
1798.25. Each agency shall keep an accurate accounting of the date,
nature, and purpose of each disclosure of a record made pursuant to
subdivision (i), (k), (l), (o), or (p) of Section 1798.24. This
accounting shall also be required for disclosures made pursuant to
subdivision (e) or (f) of Section 1798.24 unless notice of the type
of disclosure has been provided pursuant to Sections 1798.9 and
1798.10. The accounting shall also include the name, title, and
business address of the person or agency to whom the disclosure was
made. For the purpose of an accounting of a disclosure made under
subdivision (o) of Section 1798.24, it shall be sufficient for a law
enforcement or regulatory agency to record the date of disclosure,
the law enforcement or regulatory agency requesting the disclosure,
and whether the purpose of the disclosure is for an investigation of
unlawful activity under the jurisdiction of the requesting agency, or
for licensing, certification, or regulatory purposes by that agency.
Routine disclosures of information pertaining to crimes,
offenders, and suspected offenders to law enforcement or regulatory
agencies of federal, state, and local government shall be deemed to
be disclosures pursuant to subdivision (e) of Section 1798.24 for the
purpose of meeting this requirement.
1798.26. With respect to the sale of information concerning the
registration of any vehicle or the sale of information from the files
of drivers' licenses, the Department of Motor Vehicles shall, by
regulation, establish administrative procedures under which any
person making a request for information shall be required to identify
himself or herself and state the reason for making the request.
These procedures shall provide for the verification of the name and
address of the person making a request for the information and the
department may require the person to produce the information as it
determines is necessary in order to ensure that the name and address
of the person are his or her true name and address. These procedures
may provide for a 10-day delay in the release of the requested
information. These procedures shall also provide for notification to
the person to whom the information primarily relates, as to what
information was provided and to whom it was provided. The department
shall, by regulation, establish a reasonable period of time for which
a record of all the foregoing shall be maintained.
The procedures required by this subdivision do not apply to any
governmental entity, any person who has applied for and has been
issued a requester code by the department, or any court of competent
jurisdiction.
1798.27. Each agency shall retain the accounting made pursuant to
Section 1798.25 for at least three years after the disclosure for
which the accounting is made, or until the record is destroyed,
whichever is shorter.
Nothing in this section shall be construed to require retention of
the original documents for a three-year period, providing that the
agency can otherwise comply with the requirements of this section.
1798.28. Each agency, after July 1, 1978, shall inform any person
or agency to whom a record containing personal information has been
disclosed during the preceding three years of any correction of an
error or notation of dispute made pursuant to Sections 1798.35 and
1798.36 if (1) an accounting of the disclosure is required by Section
1798.25 or 1798.26, and the accounting has not been destroyed
pursuant to Section 1798.27, or (2) the information provides the name
of the person or agency to whom the disclosure was made, or (3) the
person who is the subject of the disclosed record provides the name
of the person or agency to whom the information was disclosed.
1798.29. (a) Any agency that owns or licenses computerized data
that includes personal information shall disclose any breach of the
security of the system following discovery or notification of the
breach in the security of the data to any resident of California
whose unencrypted personal information was, or is reasonably believed
to have been, acquired by an unauthorized person. The disclosure
shall be made in the most expedient time possible and without
unreasonable delay, consistent with the legitimate needs of law
enforcement, as provided in subdivision (c), or any measures
necessary to determine the scope of the breach and restore the
reasonable integrity of the data system.
(b) Any agency that maintains computerized data that includes
personal information that the agency does not own shall notify the
owner or licensee of the information of any breach of the security of
the data immediately following discovery, if the personal
information was, or is reasonably believed to have been, acquired by
an unauthorized person.
(c) The notification required by this section may be delayed if a
law enforcement agency determines that the notification will impede a
criminal investigation. The notification required by this section
shall be made after the law enforcement agency determines that it
will not compromise the investigation.
(d) For purposes of this section, "breach of the security of the
system" means unauthorized acquisition of computerized data that
compromises the security, confidentiality, or integrity of personal
information maintained by the agency. Good faith acquisition of
personal information by an employee or agent of the agency for the
purposes of the agency is not a breach of the security of the system,
provided that the personal information is not used or subject to
further unauthorized disclosure.
(e) For purposes of this section, "personal information" means an
individual's first name or first initial and last name in combination
with any one or more of the following data elements, when either the
name or the data elements are not encrypted:
(1) Social security number.
(2) Driver's license number or California Identification Card
number.
(3) Account number, credit or debit card number, in combination
with any required security code, access code, or password that would
permit access to an individual's financial account.
(4) Medical information.
(5) Health insurance information.
(f) (1) For purposes of this section, "personal information" does
not include publicly available information that is lawfully made
available to the general public from federal, state, or local
government records.
(2) For purposes of this section, "medical information" means any
information regarding an individual's medical history, mental or
physical condition, or medical treatment or diagnosis by a health
care professional.
(3) For purposes of this section, "health insurance information"
means an individual's health insurance policy number or subscriber
identification number, any unique identifier used by a health insurer
to identify the individual, or any information in an individual's
application and claims history, including any appeals records.
(g) For purposes of this section, "notice" may be provided by one
of the following methods:
(1) Written notice.
(2) Electronic notice, if the notice provided is consistent with
the provisions regarding electronic records and signatures set forth
in Section 7001 of Title 15 of the United States Code.
(3) Substitute notice, if the agency demonstrates that the cost of
providing notice would exceed two hundred fifty thousand dollars
($250,000), or that the affected class of subject persons to be
notified exceeds 500,000, or the agency does not have sufficient
contact information. Substitute notice shall consist of all of the
following:
(A) E-mail notice when the agency has an e-mail address for the
subject persons.
(B) Conspicuous posting of the notice on the agency's Web site
page, if the agency maintains one.
(C) Notification to major statewide media.
(h) Notwithstanding subdivision (g), an agency that maintains its
own notification procedures as part of an information security policy
for the treatment of personal information and is otherwise
consistent with the timing requirements of this part shall be deemed
to be in compliance with the notification requirements of this
section if it notifies subject persons in accordance with its
policies in the event of a breach of security of the system.
1798.25. Each agency shall keep an accurate accounting of the date,
nature, and purpose of each disclosure of a record made pursuant to
subdivision (i), (k), (l), (o), or (p) of Section 1798.24. This
accounting shall also be required for disclosures made pursuant to
subdivision (e) or (f) of Section 1798.24 unless notice of the type
of disclosure has been provided pursuant to Sections 1798.9 and
1798.10. The accounting shall also include the name, title, and
business address of the person or agency to whom the disclosure was
made. For the purpose of an accounting of a disclosure made under
subdivision (o) of Section 1798.24, it shall be sufficient for a law
enforcement or regulatory agency to record the date of disclosure,
the law enforcement or regulatory agency requesting the disclosure,
and whether the purpose of the disclosure is for an investigation of
unlawful activity under the jurisdiction of the requesting agency, or
for licensing, certification, or regulatory purposes by that agency.
Routine disclosures of information pertaining to crimes,
offenders, and suspected offenders to law enforcement or regulatory
agencies of federal, state, and local government shall be deemed to
be disclosures pursuant to subdivision (e) of Section 1798.24 for the
purpose of meeting this requirement.
1798.26. With respect to the sale of information concerning the
registration of any vehicle or the sale of information from the files
of drivers' licenses, the Department of Motor Vehicles shall, by
regulation, establish administrative procedures under which any
person making a request for information shall be required to identify
himself or herself and state the reason for making the request.
These procedures shall provide for the verification of the name and
address of the person making a request for the information and the
department may require the person to produce the information as it
determines is necessary in order to ensure that the name and address
of the person are his or her true name and address. These procedures
may provide for a 10-day delay in the release of the requested
information. These procedures shall also provide for notification to
the person to whom the information primarily relates, as to what
information was provided and to whom it was provided. The department
shall, by regulation, establish a reasonable period of time for which
a record of all the foregoing shall be maintained.
The procedures required by this subdivision do not apply to any
governmental entity, any person who has applied for and has been
issued a requester code by the department, or any court of competent
jurisdiction.
1798.27. Each agency shall retain the accounting made pursuant to
Section 1798.25 for at least three years after the disclosure for
which the accounting is made, or until the record is destroyed,
whichever is shorter.
Nothing in this section shall be construed to require retention of
the original documents for a three-year period, providing that the
agency can otherwise comply with the requirements of this section.
1798.28. Each agency, after July 1, 1978, shall inform any person
or agency to whom a record containing personal information has been
disclosed during the preceding three years of any correction of an
error or notation of dispute made pursuant to Sections 1798.35 and
1798.36 if (1) an accounting of the disclosure is required by Section
1798.25 or 1798.26, and the accounting has not been destroyed
pursuant to Section 1798.27, or (2) the information provides the name
of the person or agency to whom the disclosure was made, or (3) the
person who is the subject of the disclosed record provides the name
of the person or agency to whom the information was disclosed.
1798.29. (a) Any agency that owns or licenses computerized data
that includes personal information shall disclose any breach of the
security of the system following discovery or notification of the
breach in the security of the data to any resident of California
whose unencrypted personal information was, or is reasonably believed
to have been, acquired by an unauthorized person. The disclosure
shall be made in the most expedient time possible and without
unreasonable delay, consistent with the legitimate needs of law
enforcement, as provided in subdivision (c), or any measures
necessary to determine the scope of the breach and restore the
reasonable integrity of the data system.
(b) Any agency that maintains computerized data that includes
personal information that the agency does not own shall notify the
owner or licensee of the information of any breach of the security of
the data immediately following discovery, if the personal
information was, or is reasonably believed to have been, acquired by
an unauthorized person.
(c) The notification required by this section may be delayed if a
law enforcement agency determines that the notification will impede a
criminal investigation. The notification required by this section
shall be made after the law enforcement agency determines that it
will not compromise the investigation.
(d) For purposes of this section, "breach of the security of the
system" means unauthorized acquisition of computerized data that
compromises the security, confidentiality, or integrity of personal
information maintained by the agency. Good faith acquisition of
personal information by an employee or agent of the agency for the
purposes of the agency is not a breach of the security of the system,
provided that the personal information is not used or subject to
further unauthorized disclosure.
(e) For purposes of this section, "personal information" means an
individual's first name or first initial and last name in combination
with any one or more of the following data elements, when either the
name or the data elements are not encrypted:
(1) Social security number.
(2) Driver's license number or California Identification Card
number.
(3) Account number, credit or debit card number, in combination
with any required security code, access code, or password that would
permit access to an individual's financial account.
(4) Medical information.
(5) Health insurance information.
(f) (1) For purposes of this section, "personal information" does
not include publicly available information that is lawfully made
available to the general public from federal, state, or local
government records.
(2) For purposes of this section, "medical information" means any
information regarding an individual's medical history, mental or
physical condition, or medical treatment or diagnosis by a health
care professional.
(3) For purposes of this section, "health insurance information"
means an individual's health insurance policy number or subscriber
identification number, any unique identifier used by a health insurer
to identify the individual, or any information in an individual's
application and claims history, including any appeals records.
(g) For purposes of this section, "notice" may be provided by one
of the following methods:
(1) Written notice.
(2) Electronic notice, if the notice provided is consistent with
the provisions regarding electronic records and signatures set forth
in Section 7001 of Title 15 of the United States Code.
(3) Substitute notice, if the agency demonstrates that the cost of
providing notice would exceed two hundred fifty thousand dollars
($250,000), or that the affected class of subject persons to be
notified exceeds 500,000, or the agency does not have sufficient
contact information. Substitute notice shall consist of all of the
following:
(A) E-mail notice when the agency has an e-mail address for the
subject persons.
(B) Conspicuous posting of the notice on the agency's Web site
page, if the agency maintains one.
(C) Notification to major statewide media.
(h) Notwithstanding subdivision (g), an agency that maintains its
own notification procedures as part of an information security policy
for the treatment of personal information and is otherwise
consistent with the timing requirements of this part shall be deemed
to be in compliance with the notification requirements of this
section if it notifies subject persons in accordance with its
policies in the event of a breach of security of the system.
