Changes to California’s Data Breach Notification Requirements
On October 6, 2015, California Governor Jerry Brown signed three new laws which substantially alter and expand the state’s security breach notification requirements. The new changes to California Civil Code sections 1798.29 and 1798.82, the Golden State’s laws that require notifications by state agencies and private sector entities of certain breaches of security (i) provide a definition for encryption, (ii) establish new requirements for the content and form of breach notifications, and (iii) add license plate information gathered through automated license plate recognition (ALPR) systems to the definition of personal information subject to the state’s notification requirements. These changes become effective January 1, 2016.
When is Personal Information Considered “Encrypted”
Under California’s current law, if personal information is “encrypted,” the notification requirements will not apply. Until now, the law had not defined when personal information would be considered to be “encrypted.” Assembly Bill 964 amends California Civil Code sections 1798.29 and 1798.82 to provide a definition for this previously undefined term. With passage of the amendment, the term “encrypted” is now defined as “rendered unusable, unreadable or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information technology.” This language seems to allow for flexibility in the types of encryption that can be applied, as well as for future changes in encryption technology. For more information on encryption technologies, click here.
Updates to Content and Form of Breach Notification
Senate Bill 570 amends California Civil Code sections 1798.29 and 1798.82 to require government agencies and businesses to clarify the content of security breach notifications and provides a model security breach notification. All security breach notifications must now be titled “Notice of Data Breach” and present required information under the following headlines: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.” The notice must be designed to call attention to the nature and significance of the matter, must be clear and conspicuous and must be in text no smaller than 10-point type.
Use of the model notification form will be deemed compliant with California’s notification requirements, and thus helpful for agencies and business when trying to understand what the notice needs to say. However, in the case of breaches affecting individuals in multiple states, when simplifying the notification process is critical, use of California’s model notice across multiple states may be problematic. For example, the “What Happened” section should not be included in notices to Massachusetts residents as that state’s law prohibits including a description of the nature of the breach or unauthorized acquisition or use.
Information Obtained from Automated License Plate Recognition Systems is Personal Information
These amendments represent significant changes to the security breach notifications provisions of Civil Code sections 1798.29 and 1798.82, as well as additional protections for information obtained from APLR systems. In particular, they impact how to respond to security breaches, how to protect personal information and the scope of what information is protected. Businesses are encouraged to review their encryption policies, adopt compliant security breach notification forms and, if using an ALPR system, adopt compliant policies with respect to ALPR information and the employees who control those systems.