September 20, 2017

September 20, 2017

Subscribe to Latest Legal News and Analysis

September 19, 2017

Subscribe to Latest Legal News and Analysis

September 18, 2017

Subscribe to Latest Legal News and Analysis

Changes to California’s Data Breach Notification Requirements

On October 6, 2015, California Governor Jerry Brown signed three new laws which substantially alter and expand the state’s security breach notification requirements. The new changes to California Civil Code sections 1798.29 and 1798.82, the Golden State’s laws that require notifications by state agencies and private sector entities of certain breaches of security (i) provide a definition for encryption, (ii) establish new requirements for the content and form of breach notifications, and (iii) add license plate information gathered through automated license plate recognition (ALPR) systems to the definition of personal information subject to the state’s notification requirements. These changes become effective January 1, 2016.

When is Personal Information Considered “Encrypted”

Under California’s current law, if personal information is “encrypted,” the notification requirements will not apply. Until now, the law had not defined when personal information would be considered to be “encrypted.” Assembly Bill 964 amends California Civil Code sections 1798.29 and 1798.82 to provide a definition for this previously undefined term. With passage of the amendment, the term “encrypted” is now defined as “rendered unusable, unreadable or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information technology.” This language seems to allow for flexibility in the types of encryption that can be applied, as well as for future changes in encryption technology. For more information on encryption technologies, click here.

Updates to Content and Form of Breach Notification

Senate Bill 570 amends California Civil Code sections 1798.29 and 1798.82 to require government agencies and businesses to clarify the content of security breach notifications and provides a model security breach notification. All security breach notifications must now be titled “Notice of Data Breach” and present required information under the following headlines: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.” The notice must be designed to call attention to the nature and significance of the matter, must be clear and conspicuous and must be in text no smaller than 10-point type.

Use of the model notification form will be deemed compliant with California’s notification requirements, and thus helpful for agencies and business when trying to understand what the notice needs to say. However, in the case of breaches affecting individuals in multiple states, when simplifying the notification process is critical, use of California’s model notice across multiple states may be problematic. For example, the “What Happened” section should not be included in notices to Massachusetts residents as that state’s law prohibits including a description of the nature of the breach or unauthorized acquisition or use.

Information Obtained from Automated License Plate Recognition Systems is Personal Information

Popular among local law enforcement, automated license plate recognition (ALPR) systems allow license plate information to be captured from videos and stored. Senate Bill 34 added new sections to California’s Civil Code, beginning with section 1798.90.5, to require that certain users of those systems – called ALPR operators – safeguard ALPR information, including a requirement to implement a usage and privacy policy in order to ensure that the collection, use maintenance, sharing and dissemination of ALPR information is consistent with respect for individuals’ privacy and civil liberties. However, the Senate Bill also amends California Civil Code sections 1798.29 and 1798.82 to include information obtained from ALPR systems in the definition of “personal information” when used along with an individual’s name. Thus, if this information is involved in a breach of security, it will trigger a notification requirement. Also, individuals harmed by unauthorized access or use of ALPR information or a breach of security of an ALPR system may bring a private right of action.

These amendments represent significant changes to the security breach notifications provisions of Civil Code sections 1798.29 and 1798.82, as well as additional protections for information obtained from APLR systems. In particular, they impact how to respond to security breaches, how to protect personal information and the scope of what information is protected. Businesses are encouraged to review their encryption policies, adopt compliant security breach notification forms and, if using an ALPR system, adopt compliant policies with respect to ALPR information and the employees who control those systems.

Jackson Lewis P.C. © 2017

TRENDING LEGAL ANALYSIS


About this Author

Principal

Joseph J. Lazzarotti is a Principal in the Morristown, New Jersey, office of Jackson Lewis P.C. He founded and currently helps to co-lead the firm's Privacy, e-Communication and Data Security Practice, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals.

In short, his practice focuses on the matrix of laws governing the privacy, security and management of data, as well as the impact and regulation of social media. He also...

973- 538-6890
Douglas Johnston, Employment class action lawyer, Jackson Lewis, Data Retention Attorney
Associate

Douglas G.A. Johnston is an Associate in the San Francisco, California, office of Jackson Lewis P.C. He focuses his practice on defending employers in litigation and, in particular, against class action wage and hour allegations. 

Recently, Mr. Johnston successfully argued before the U.S. Ninth Circuit Court of Appeals, defeating a challenge to the District Court’s grant of summary judgment on behalf of an employer. In addition to his litigation practice, Mr. Johnston frequently counsels employers on complying with California’s wage and hour laws.

Mr. Johnston serves as the San Francisco office’s e-discovery liaison, advising clients and colleagues on appropriate data retention practices, discovery of electronically stored information and complying with state and federal rules related to document review and production.

415-796-5421