University of California, Riverside

Security Breaches



Senate Bill 1386 and Assembly Bill 700, effective July 1, 2003, added a new provision to the California Information Practices Act - Civil Code 1798.29, 1798.82. This new provision requires any state agency (including the University of California) with computerized data containing personal information to disclose any breach of security of a system containing such data to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

The Civil Code defines "personal information" to be an individual's first and last name in combination with any of the following (see other definitions):

  • Social security number and/or
  • Driver's license number or CA identification card number and/or
  •  Financial account number, credit or debit card number, in combination with any security code, access code, or password that would permit access to the individual's account and/or
  • Medical information (medical history, mental or physical condition, medical treatment or diagnosis) and/or
  • Health insurance information (policy number, subscriber information number, individual's application and claims history including appeal records)

It requires that owners of computerized data must give notice of any security breach to affected persons in the most expedient time possible and without unreasonable delay (see Incident Response Procedures). The provision also allows for substitute notice (e.g., via posting on the agency's website and notification to major statewide media) in certain circumstances. The bill specifies that an agency that maintains its own notification procedures as part of an information security policy shall be deemed to be in compliance with the bill's notification requirements, as long as the agency notifies people in accordance with its policies in case of a security breach and as long as the agency is otherwise consistent with the bill's timing requirements for notification.

The University of California Office of the President (UCOP) has incorporated the legal requirements into Business and Finance Bulletin IS-3 - "Electronic Information Security." The guidelines and procedures contained on these web pages are provided to campus departments and units for their assistance in implementing the UCOP requirements.

More Information 

General Campus Information

University of California, Riverside
900 University Ave.
Riverside, CA 92521
Tel: (951) 827-1012

Department Information

Computing & Communications
Computing & Communications Bldg.

Tel: (951) 827-3555
Fax: (951) 827-4541