Data Breach Laws


PCI DSS Compliance –

Payment Card Industry Data Security Standards (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.

PCI Cost
For most small businesses, they are categorized as level 4 merchants, and PCI compliance costs can be as low as $10/month. The cost is also associated with business type, hardware, software, and other factors.

PCI Violation Penalty (click here for link)
The violation penalty alone can be $5000 – $100,000 per month, passing from credit companies to banks, and eventually to business owners. In most cases, businesses would be notified if there’s a violation of PCI compliance. They can then be charged starting at least $5000/monthly if it has not yet been resolved.

Breakdown of Cost of Data Breaches:

  • Lawyer fees,
  • Mandatory forensic examinations (ave. cost of $20,000-$50,000 per small business),
  • Credit and identity monitoring for victims of the data breach (for up to a year),
  • High cost of setting up call center for victims,
  • Liability for fraud charges lawsuits,
  • Card replacement cost (ave. cost of $3-$10 per card),
  • Upgrading or replacing POS (point-of-sale) systems (depending on the cause of data breach),
  • An external Qualified Security Assessor (QSA) must be hired and brought in to look at the new POS system before a business can accept electronic payment, and then do a complete reassessment for PCI compliance;

California Civil Code on Data Breaches –

California Civ. Code s. 1798.82 (click here for link) –

(h) For purposes of this section, “personal information” means either of the following:
(1) An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
(A) Social security number.
(B) Driver’s license number or California identification card number.
(C) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
(D) Medical information.
(E) Health insurance information.
(F) Information or data collected through the use or operation of an automated license plate recognition system, as defined in Section 1798.90.5.
(2) A user name or email address, in combination with a password or security question and answer that would permit access to an online account.

California Civ. Code s. 1798.84 (click here for link) –

(a) Any waiver of a provision of this title is contrary to public policy and is void and unenforceable.
(b) Any customer injured by a violation of this title may institute a civil action to recover damages.
(c) In addition, for a willful, intentional, or reckless violation of Section 1798.83, a customer may recover a civil penalty not to exceed three thousand dollars ($3,000) per violation; otherwise, the customer may recover a civil penalty of up to five hundred dollars ($500) per violation for a violation of Section 1798.83.

California Civil Code s. 1798.29(a) (click here for link) is for state agencies.
California Civ. Code s. 1798.82(a)
(click here for link) is for businesses.

Health & Safety Code § 1280.15 (click here for link) – notification requirements applicable to a clinic, health facility, home health agency, or hospice licensed are pursuant to Cal. Health & Safety Code section 1204, 1250, 1725, or 1745.


The HIPAA Breach Notification Rule –

The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414 (click here for link), requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured, federally-protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act (click here for more information).

These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity (or business associate, as applicable).

Note: This is provided for informational purposes only, not legal advice. For more details on a specific case, please seek legal help.