California Amends Data Breach Notification Law to Require Notification of Breach of Encrypted Personal Information When Encryption Key Has Been Leaked
On September 13, 2016, California Governor Jerry Brown signed into law AB 2828, an amendment to the law that requires businesses to disclose data breaches to California residents whose personal information has been compromised.
Currently, the law requires notification of a breach when a California resident’s unencrypted personal information is compromised. However, effective January 1, 2017, the amended law requires notification of a security breach when (a) there is unauthorized acquisition of both encrypted personal information and the encryption key or security credential, and (b) the business has a reasonable belief that the encryption key or security credential could render such personal information readable or useable.
Encryption is the conversion of data into a form that is unreadable to an unauthorized person. The California law defines “encryption key” as the confidential key or process designed to render the data readable.
The law is applicable to all persons and businesses that own or license computerized data and conduct business in California, as well as state agencies that own or license computerized data.
California was the first state in the U.S. to require notification of security breaches (its law became effective in 2003). California last amended its data breach notification law in October 2015 to define “encrypted,” as well as expand the definition of “personal information” and update the requirements for a security breach notification letter.