June 27, 2019

June 26, 2019

Subscribe to Latest Legal News and Analysis

June 25, 2019

Subscribe to Latest Legal News and Analysis

June 24, 2019

Subscribe to Latest Legal News and Analysis

California Amends Data Breach Notification Law to Require Notification of Breach of Encrypted Personal Information When Encryption Key Has Been Leaked

On September 13, 2016, California Governor Jerry Brown signed into law AB 2828, an amendment to the law that requires businesses to disclose data breaches to California residents whose personal information has been compromised.

Currently, the law requires notification of a breach when a California resident’s unencrypted personal information is compromised. However, effective January 1, 2017, the amended law requires notification of a security breach when (a) there is unauthorized acquisition of both encrypted personal information and the encryption key or security credential, and (b) the business has a reasonable belief that the encryption key or security credential could render such personal information readable or useable.

Encryption is the conversion of data into a form that is unreadable to an unauthorized person. The California law defines “encryption key” as the confidential key or process designed to render the data readable.

The law is applicable to all persons and businesses that own or license computerized data and conduct business in California, as well as state agencies that own or license computerized data.

California was the first state in the U.S. to require notification of security breaches (its law became effective in 2003). California last amended its data breach notification law in October 2015 to define “encrypted,” as well as expand the definition of “personal information” and update the requirements for a security breach notification letter.

© 2019 Proskauer Rose LLP.

TRENDING LEGAL ANALYSIS


About this Author

Tiffany Quach, associate, corporate department, business law, proskauer, New York, Privacy Law, IP, technology
Associate

Tiffany Quach is an associate in the Corporate Department. Her practice focuses on intellectual property, technology, privacy and data security, marketing and advertising across a range of industries, including media, communications, life sciences, financial services, retail, fashion, entertainment and sports. She has represented clients including Altice USA, Harry Winston, the Juilliard School and ZocDoc in relation to intellectual property and privacy and data security matters.

She contributes to Proskauer’s Privacy Law blog and maintains the...

212-969-3171