For the third time in as many years, California has once again amended its breach notification statute. This time it expanded the definition of “personal information,” clarified the term “encryption,” and mandated additional formatting and content requirements for individual notification letters. These amendments impact both companies and agencies and will go into effect on January 1, 2016.
In 2003, California became the first state in the country to require security breach notification. Since then, nearly every state has followed California’s lead in enacting laws that require entities who experience a security breach to notify affected individuals. On October 6, 2015, Governor Jerry Brown continued the tradition of leadership by signing into law three separate bills, each one amending a different aspect of California’s breach notification framework.
Expansion of Personal Information Definition
The first amendment, Senate Bill 34, expands the definition of “personal information” to include data collected through the use of an automated license plate recognition system. License plate recognition (LPR) systems use optical character recognition on video images to read license plates on motor vehicles and then store that data in a searchable computerized database. The use of this technology has skyrocketed in recent years, with nearly 70 percent of local police departments utilizing LPR systems to some extent. This amendment, which applies to both public and private entities, will require entities that use LPR systems to implement reasonable safeguards to protect LPR data from unauthorized use or disclosure. In addition, S.B. 34 provides a private right of action to individuals harmed by a violation of these security requirements.
Limitations on Acceptable Encryption
The second amendment, Assembly Bill 964, clarifies the meaning of the term “encrypted.” Personal information is deemed to be encrypted if it is rendered “unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” Information that is encrypted generally does not trigger notification obligations under California law, and the failure to define the term left some ambiguity surrounding the type of encryption that would qualify for the safe harbor. Although some ambiguity remains as to what encryption is generally accepted in the field of information security, the amendment will now exclude most custom and proprietary encryption algorithms.
Notification Letter Formatting Changes
The final amendment, Senate Bill 570, revamps the formatting and language used for security breach notifications. On top of the existing content requirements, notification letters must now be titled “Notice of Data Breach” and include the following headings: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.” Presumably, these changes were made to reflect the most common questions asked by consumers following a breach. The title and headings must be clearly and conspicuously displayed using a font size that is 10 points or larger. 10-point font is still smaller than what is required by Medicare.
S.B. 570 also provides a model security breach notification form, which, if used, is deemed to comply with the new content requirements for written notification. This amendment adds another layer of complexity to the patchwork of breach notification laws across the country, many of which have their own specific content requirements, and highlights the importance of using experienced data breach counsel with intimate knowledge of the different requirements of each jurisdiction.
To help navigate the continuing developments in state breach notification law requirements, BakerHostetler has assembled a state-by-state survey that is updated regularly to reflect newly enacted legislation.
