California Amends Data Breach Notification Statute by Requiring Specific Notification Content and Expanding the Definition of Personal Information
California’s Data Breach Notification Statute was amended on October 6, 2015, by Governor Jerry Brown. The amendment, which takes effect on January 1, 2016, makes important changes to the existing law, including new requirements for security breach notification through the use of prescribed headings in the notification letter. In addition, the definition of “personal information” has been expanded, and there is a new definition of the word “encrypted.” This amendment applies to all persons and businesses that conduct business in California (Civil Code Section 1798.82) and to all California governmental agencies (California Civil Code Section 1798.29).
The amendment requires that the notification shall now be titled “Notice of Data Breach,” and shall present information under the prescribed headings shown in the model form as set forth in the amendment (see below). Additional information may be provided as a supplement to the notice. The model security breach notification form, with the prescribed headings and written in plain English, shall be deemed to be in compliance.
Model Security Breach Notification Form
In addition, the definition of “personal information” has been expanded to include “information or data collected through the use or operation of an automated license plate recognition system.”
Also of interest is an amended definition of the word “encrypted,” which is now defined as data that has been “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” It appears that this amendment can be interpreted to mean that technology that renders information unusable, unreadable or indecipherable will permit the information to be considered “encrypted” regardless of the specific technology. Thus, a breach involving “hashed” passwords, which many argue is a more secure method of storing passwords than encryption, may not trigger a violation of notification requirements.
Data privacy continues to be a quickly evolving landscape in California and elsewhere. Persons and companies doing business in California and holding personal information should remain vigilant with regard to the ongoing changes to California’s Data Breach Notification Statute.