California Strengthens Data Breach Notification Law, Again


189166_71f2_10By: Kacie L. Manisco

As of January 1, 2017, California’s data breach notification law became even more stringent than it already was, requiring notification to individuals in some instances when encrypted personal information has been breached.

California’s current data breach notification law requires agencies, persons, and companies that conduct business in California, and that own or license computerized data that includes personal information (“Covered Entities”) to notify individuals whose personal information has been compromised, only where unencrypted information has been accessed. This mirrors the majority of other data breach notification laws that provide a safe harbor for encrypted data that is lost or stolen.

The amendments to California’s law, however, will now require Covered Entities to provide notification of a breach to affected individuals whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person if “the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the person, business, or agency that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or useable.”  In other words, as of January 1, there will no longer be a safe harbor in California for a breach of encrypted data if the Covered Entity knows or has a reasonable basis for believing that the unauthorized person also gained access to the encryption key.

In light of these changes, Covered Entities should review their data security measures and response plans to ensure that they are prepared for and can respond efficiently to a data breach, and detect when one occurs. All organizations also must be attentive to the ever-changing notice requirements under state and federal data breach notification laws.  Indeed, this amendment marks the sixth-time that California has amended its data breach notification statute since its inception in 2002. Working with experienced and knowledgeable cyber attorneys is important in that regard, and the attorneys in our Cyber Liability, Data Security & Privacy team keep up to date on all of these changes and other developments in the law. Please contact us to discuss how we can help your organization.

For any questions you may have please contact Kacie Manisco at [email protected].



Articles

Be on the Lookout for Minimum Wage Increases in 2017

California Strengthens Data Breach Notification Law, Again

BITAG Releases Report Containing Security and Privacy Recommendations on Internet of Things Devices

San Francisco’s Paid Parental Leave Law


Learn more about FMG

CGL and Business Liability

Commercial and Complex Litigation

Construction and Design Law

Financial Services and Securities

Insurance Coverage & Bad Faith

Government Law

Labor and Employment Law

Professional Liability / Errors and Omissions



Freeman Mathis & Gary, LLP
100 Galleria Parkway
Suite 1600
Atlanta, Georgia 30339-5948

Tel: 770.818.0000 / Fax: 770.937.9960

www.fmglaw.com


Copyright © 2016 Freeman Mathis & Gary, LLP Click here to print the article.