October 19, 2021

Volume XI, Number 292

Advertisement
Advertisement

October 19, 2021

Subscribe to Latest Legal News and Analysis

October 18, 2021

Subscribe to Latest Legal News and Analysis

California Amends Data Breach Notification Statute by Requiring Specific Notification Content and Expanding the Definition of Personal Information

California’s Data Breach Notification Statute was amended on October 6, 2015, by Governor Jerry Brown. The amendment, which takes effect on January 1, 2016, makes important changes to the existing law, including new requirements for security breach notification through the use of prescribed headings in the notification letter. In addition, the definition of  “personal information” has been expanded, and there is a new definition of the word “encrypted.” This amendment applies to all persons and businesses that conduct business in California (Civil Code Section 1798.82) and to all California governmental agencies (California Civil Code Section 1798.29).

The amendment requires that the notification shall now be titled “Notice of Data Breach,” and shall present information under the prescribed headings  shown in the model form as set forth in the amendment (see below). Additional information may be provided as a supplement to the notice. The model security breach notification form, with the prescribed headings and written in plain English, shall be deemed to be in compliance. 

Model Security Breach Notification Form

Data Privacy - Form

In addition, the definition of “personal information” has been expanded to include “information or data collected through the use or operation of an automated license plate recognition system.”

Also of interest is an amended definition of the word “encrypted,” which is now defined as data that has been “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” It appears that this amendment can be interpreted to mean that technology that renders information unusable, unreadable or indecipherable will permit the information to be considered “encrypted” regardless of the specific technology. Thus, a breach involving “hashed” passwords, which many argue is a more secure method of storing passwords than encryption, may not trigger a violation of notification requirements.

Data privacy continues to be a quickly evolving landscape in California and elsewhere. Persons and companies doing business in California and holding personal information should remain vigilant with regard to the ongoing changes to California’s Data Breach Notification Statute.

© 2021 Wilson ElserNational Law Review, Volume V, Number 289
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Ian Stewart Litigation Attorney Wilson Elser Law Firm
Partner

Ian Stewart has defended complex litigation in state and federal courts for 25 years with a focus on product liability, complex general casualty, cannabis law, data privacy and cybersecurity, and intellectual property litigation. Ian is deputy regional managing partner of the firm’s Los Angeles office and a member of the Information Governance Leadership Committee.

As co-chair of the firm’s national Cannabis & Hemp Law Practice, Ian leads a national multidisciplinary team of lawyers who serve all aspects of the cannabis and hemp industries, as well as financial institutions and...

213.330.8830
Gregory Lee, Litigator, Aviation, Employment, Product Liability, Wilson Elser Law Firm
Of Counsel

Greg Lee is an experienced civil litigator who has resolved complex disputes – often involving novel issues – brought in state and federal courts throughout the country. Greg’s litigation practice encompasses a range of specialized areas, including aviation and aerospace, commercial litigation, employment litigation, general liability, product liability and professional liability, among others. Greg’s broad base of knowledge and diverse capabilities enable him to skillfully and effectively guide the firm’s clients through a wide variety of litigated matters, and to deliver innovative...

213.330.8972
Advertisement
Advertisement
Advertisement