‘Dear Mary,’ is Troutman Pepper’s Incidents + Investigations team’s advice column. Here, you will find Mary’s answers to questions about anything and everything cyber-related – data breaches, forensic investigations, how to respond to regulators, and much more. ‘Dear Mary’ goes beyond our articles, podcasts, webinars, and other content we produce because here, we respond directly to your questions with concise, practical answers. We promise they will be interesting, informative, and hopefully a little fun.
Drop us a line with any cyber-related question you would like answered – whatever may keep you up at night – and we’ll do our very best to provide a practical, actionable answer. Of course, our answers will be somewhat general in nature and should not be considered legal advice – always consult with an attorney (preferably one of ours!) before acting on anything you read here.
Thank you for reading!
Dear Mary,
I am the privacy compliance officer at a cloud-based software company. We recently experienced an incident where, although none of our client’s data was compromised, it appears that our employees’ information may have been copied and removed from our environment. This information includes employees’ full names, salaries, and salary schedules. All of our employees reside in California, and given the CCPA’s broad definition of personal information, I am assuming notification will be required?
– Frowning in Fresno
July 17, 2024
Dear Frowning,
I have been patiently waiting for this question, so thank you for this. There has been a lot of confusion surrounding the California Consumer Privacy Act (CCPA) and its implications for breach notification obligations.
First, it’s important to clarify that the CCPA is primarily a privacy statute designed to provide consumers with certain rights over their “personal information” and to ensure transparency from businesses regarding their information practices. While the CCPA does broadly define “personal information,” California has a separate breach notification statute, Cal. Civ. Code § 1798.82, which specifies when businesses must notify individuals of security incidents. The CCPA does not change the breach notification obligations outlined in this statute. In other words, the CCPA does not dictate whether you need to notify individuals or regulators of a breach. You should refer to California’s breach notification statute for that information.
The good news is that while the CCPA broadly defines personal information, the breach notification statute uses the term “personally identifiable information,” which is more narrowly defined. Based on the details you’ve provided, an individual’s salary or salary schedule is not considered a protected data element under this statute, so there’s a chance this incident may not trigger notification. I do want to note that while the CCPA doesn’t change whether notice will be required, the CCPA does allow consumers to bring an action for statutory damages in the event of a data breach due to a business’s failure to implement reasonable security procedures (sidenote: I think this is the provision that may have led some to mistakenly believe that the CCPA changes breach notification obligations in California, but it does not). Before seeking these statutory damages, the consumer must provide a 30-days’ written notice identifying the specific CCPA violation (i.e., the business’s failure to implement reasonable security procedures). My point in sharing this information is to emphasize that if you ever need to issue a breach notice under California law, you should be mindful of this provision when drafting your notification letter or responding to any potential cure notices. The language used in these communications could come back to bite you later on.
I hope this information helps turn that frown upside down.
Cheers,
