Data Breach Notification Law in California and Across the Nation Continues to Evolve

Amelia Gerlicher, Todd Hinnen
Perkins Coie
Contact
LinkedIn
Facebook
X
Send
Embed

In four of the last five years, California’s legislature has updated its data breach notification law, expanding its scope and making the required notifications more specific.  This year, the legislature passed three separate measures that went into effect on January 1, 2016, A.B. 964, S.B. 570 and S.B. 34, related to encryption, the definition of personal information and required notice content.

What is “encrypted?”  Most breach notification laws exempt a data loss from disclosure if the personal information was “encrypted” but fail to define what qualifies as “encrypted.”  California’s law now specifies that encrypted means “unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.”

What must notice look like?  California’s law now specifies how the notice must be organized, standardizes the headings that must be used and requires that it be written in at least 10 point type.  Each notice must be titled “Notice of Data Breach” and contain headings reading “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do” and “More Information.”

Protection for License Plate Numbers.  California also became the first state in the nation to require breach notification for license plate numbers when they are collected through the use of an automated plate recognition system.

Other Changes Across the Country

The new year is an excellent time to ensure that breach response plans are consistent with the many changes made by legislatures across the country, most of which have just gone into effect or are slated to become effective in the next few months.

To summarize, the statutory changes mean the following changes for your next incident response:

  • More incidents will be “breaches.”  States continue to add data types to the definition of “personal information,” with the consequence that more and more incidents, especially those affecting health information and online user credentials, will trigger statutory notification requirements.
  • Credit monitoring is (sometimes) required.  Connecticut became the first state to require identity theft protection services after a breach involving social security numbers. 
  • More, and more public, regulator disclosure.  Five more states now require regulator notification when consumers are notified of a breach, and at least two have already launched public websites listing the notices received.
  • More forms of notice.  Several states have added provisions listing the content they want to see in consumer notifications, further complicating response to a nationwide incident.

As these laws become increasingly divergent and complex, careful monitoring and advice are essential, and all companies that conduct business with U.S. consumers should assess their current data security procedures and breach notifications.

For a full list of state laws regarding security breach notification, please visit Perkins Coie's newly updated Security Breach Notification Chart.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Perkins Coie | Attorney Advertising

Written by:

Perkins Coie
Perkins Coie
Contact
more
less

Perkins Coie on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide