Dear Mary,

I am the privacy compliance officer at a cloud-based software company. We recently experienced an incident where, although none of our client’s data was compromised, it appears that our employees’ information may have been copied and removed from our environment. This information includes employees’ full names, salaries, and salary schedules. All of our employees reside in California, and given the CCPA’s broad definition of personal information, I am assuming notification will be required?

– Frowning in Fresno


July 17, 2024

Dear Frowning,

I have been patiently waiting for this question, so thank you for this. There has been a lot of confusion surrounding the California Consumer Privacy Act (CCPA) and its implications for breach notification obligations.

First, it’s important to clarify that the CCPA is primarily a privacy statute designed to provide consumers with certain rights over their “personal information” and to ensure transparency from businesses regarding their information practices. While the CCPA does broadly define “personal information,” California has a separate breach notification statute, Cal. Civ. Code § 1798.82, which specifies when businesses must notify individuals of security incidents. The CCPA does not change the breach notification obligations outlined in this statute. In other words, the CCPA does not dictate whether you need to notify individuals or regulators of a breach. You should refer to California’s breach notification statute for that information.

The good news is that while the CCPA broadly defines personal information, the breach notification statute uses the term “personally identifiable information,” which is more narrowly defined. Based on the details you’ve provided, an individual’s salary or salary schedule is not considered a protected data element under this statute, so there’s a chance this incident may not trigger notification.

I do want to note that while the CCPA doesn’t change whether notice will be required, the CCPA does allow consumers to bring an action for statutory damages in the event of a data breach due to a business’s failure to implement reasonable security procedures (sidenote: I think this is the provision that may have led some to mistakenly believe that the CCPA changes breach notification obligations in California, but it does not). Before seeking these statutory damages, the consumer must provide a 30-days’ written notice identifying the specific CCPA violation (i.e., the business’s failure to implement reasonable security procedures). My point in sharing this information is to emphasize that if you ever need to issue a breach notice under California law, you should be mindful of this provision when drafting your notification letter or responding to any potential cure notices. The language used in these communications could come back to bite you later on.

I hope this information helps turn that frown upside down.

Cheers,

— Mary

“Dear Mary,” an advice column from Troutman Pepper’s Incidents + Investigations team, will answer questions about anything and everything cyber-related — incident response, forensic investigations, responding to regulators, breach-related litigation, and much more. “Dear Mary” goes beyond the articles, podcasts, webinars, and other content we produce, as we are responding directly to our reader’s questions with concise, practical answers. Answers will be general in nature and will not contain legal advice. If you need legal advice or representation, please contact one of our attorneys directly. “Dear Mary” also can be found here on the firm’s website.