December 5, 2022

Volume XII, Number 339


December 05, 2022

Subscribe to Latest Legal News and Analysis

California Broadens Security and Breach Laws, Includes Genetic Data

California recently updated both its data security and breach notice laws to include genetic data. With the passage of AB 825, the data security law now includes in the definition of “personal information” genetic data. The information needs to be “reasonably protected.” While many other states have similar “reasonable protection” requirements in their data security laws, California is one of a handful to specifically list genetic information.

Genetic is now “personal information” subject to data breach notification requirements. This includes the breach notification law that applies to state agencies as well as companies. Genetic data is any data that results from an analysis of a biological sample or an equivalent element from a consumer that concerns genetic material. This includes DNA, RNA, genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, and SNPs.

Both modifications go into effect January 1, 2022.

Putting it Into Practice: Companies will want to review their incident response policies and data security programs prior to the effective date to ensure genetic data is addressed. The inclusion of genetic data into both of these laws shows the increasing regulation of health and medical data outside of HIPAA. (In addition to these amendments, California concluded its 2021 legislative calendar passing a law aimed at direct-to-consumer testing companies collecting genetic data (which we discussed here)). 

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XI, Number 291

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...


Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...

Staff Attorney

Harrison Schafer is a staff attorney in the Intellectual Property practice group in the firm's Chicago office. He is a Privacy and Cybersecurity Fellow and a member of the Privacy and Cybersecurity Team. He is a certified information privacy professional (CIPP/E and CIPP/US) by the International Association of Privacy Professionals (IAPP).

Areas of Practice

As a fellow, Harrison’s practice focuses on publishing articles covering relevant legal developments in the privacy and cybersecurity space to...