California Updates Data Breach Notification Statute for 2017

Alston & Bird
Contact

California, which has historically been one of the states at the vanguard of data breach notification issues, has made an update to its statute that takes effect on January 1, 2017. The update will require companies to notify affected individuals of a data breach of encrypted information, if “the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the person or business that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or useable.” For the purposes of the statute, “encryption key” and “security credential” mean “the confidential key or process designed to render the data useable, readable, and decipherable.”

Notably, California is not the first state to require notice for a compromise of encrypted information if encryption key is also compromised. Seventeen other states, including New York and Texas, already included this requirement.

Companies should keep in mind that data breach notification statutes are far from settled, and state legislatures continue to be active in this area. As a result, companies should monitor the data breach notification statutes to ensure that they stay informed of changing obligations in this area.

[View source.]

Written by:

Alston & Bird
Contact
more
less

Alston & Bird on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide