California Expands Data Breach Notification Requirements

King & Spalding
Contact

On October 6, 2015, California Governor Jerry Brown signed into law three bills, A.B. 964, S.B. 570, and S.B. 34, expanding the requirements of California’s data breach notification law.  The new requirements will become effective on January 1, 2016.  California has been a leader in data privacy, and this expansion of its data breach notification law could influence other states. 

New Notification Format
S.B. 570 creates format requirements for notices sent to California residents to better “call attention to the nature and significance of the information” in the notices.  The notice must be in plain language with at least size ten font and entitled “Notice of Data Breach.”  The notice must contain five headings: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.”  S.B. 570 contains a notification template designed to satisfy the new requirements. 

These format requirements further differentiate California notifications from other states and may increase the time and expense to notify California residents.  In some circumstances, the notification to California residents may even conflict with notification requirements of other states.  For example, Massachusetts does not permit a company to notify its residents about the nature of the breach or unauthorized acquisition, so a company may need to draft a separate notice for California residents when a data breach impacts multiple states.

California permits “substitute notice” when a company must notify more than 500,000 residents or the cost to notify would be more than $250,000.  The new law clarifies how the company can provide substitute notice, which includes emailing the resident, posting a link to the notice on its website for at least 30 days, and notifying major statewide media and the Office of Information Security within the California Department of Technology.  Alternatively, if the breach only involves the unauthorized acquisition of the username or email address for an online account in combination with the password or security question/answer—and no other personal information is compromised—then a company may notify the resident electronically and direct the resident to change his or her password and security question/answer.

Expanded Definitions
California law generally does not require notice of a breach involving encrypted data, but the law never previously defined “encrypted.”  A.B. 964 now defines “encrypted” as “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.”  While this definition does not mandate a specific encryption methodology, as a practical matter a company may want to consider whether its security measures are generally accepted before adopting them.  For example, a proprietary encryption mechanism that does not incorporate a generally accepted technology or methodology may not be eligible for exemption under California’s notification law.

S.B. 34 expands the definition of “personal information” to include license plate information or data collected through an automated license plate recognition system when that information is used in combination with an individual’s name.  California is the first state to include license plate information as personal information.

Reporter, Kerianne Tobitsch, New York, NY, +1 212 556 2310, ktobitsch@kslaw.com.

Written by:

King & Spalding
Contact
more
less

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide