California Amends Its Data Breach Notification Law…Again

Joseph Lazzarotti
Jackson Lewis P.C.
Contact
LinkedIn
Facebook
X
Send
Embed

Under this most recent change to California’s breach notification laws (California Civil Code sections 1798.29 and 1798.82), which takes effect January 1, 2017, businesses and agencies subject to the laws can no longer assume that notification is not required when the personal information involved in the breach is encrypted.

Under current California law, notification of a breach is required when a California resident’s personal information was, or is reasonably believed to have been, acquired by an unauthorized person, and that personal information was unencrypted. Thus, before the change made by AB 2828, if an unauthorized person acquires encrypted personal information of California residents, notification is not required.

Beginning in 2017, notification will be required for breaches of encrypted personal information of California residents under the following conditions:

  • encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person,
  • the encryption key (confidential key or process designed to render the data readable) or security credential was, or is reasonably believed to have been, acquired by an unauthorized person, and
  • there is a reasonable belief that the encryption key or security credential could render that personal information readable or useable.

You should also remember there was a change to these laws that became effective in 2016 which addressed encryption. On October 6, 2015, California Governor Jerry Brown signed three laws which substantially altered and expanded the state’s security breach notification requirements. Among those changes, Assembly Bill 964 added a definition for encryption:

rendered unusable, unreadable or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information technology.

This language seems to allow for flexibility in the types of encryption that can be applied, as well as for future changes in encryption technology. For more information on encryption technologies, click here. But, with the more recent change, a breach involving personal information protected under a standard meeting the definition above still may trigger the statute’s notification requirements if the encryption key or security credentials also are involved and there is a reasonable belief that as a result the personal information will be readable or useable.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Jackson Lewis P.C. | Attorney Advertising

Written by:

Jackson Lewis P.C.
Jackson Lewis P.C.
Contact
more
less

Jackson Lewis P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide