California, Again, Amends its Data Breach Notification Statute


By: Kacie Manisco

On October 6, 2015, Governor Jerry Brown signed into law three separate bills amending California’s Data Breach Notification Statute. Together, the amendments, which take effect on January 1, 2016, expand the definition of “personal information,” provide a new definition for the term “encrypted,” and impose additional formatting and substance requirements for individual data breach notification letters. These amendments apply to all persons and businesses conducting business in California, as well as to all California governmental agencies.

The first amendment, Senate Bill 34, expands the definition of “personal information” to include “information or data collected through the use or operation of an automated license plate recognition (“ALPR”) system.” The Bill imposes specific requirements on ALPR operators, such as police departments, to maintain a specified record of access to ALPR information. It further requires ALPR operators to implement “reasonable safeguards” to protect ALPR data from unauthorized use or disclosure, although it does not specify exactly what safeguards should be implemented in order to be “reasonable.” The amendment also provides a private right of action to individuals harmed by violation of these security requirements.

The second amendment to the Data Breach Notification Statute, assembly Bill 964, attempts to clarify the meaning of the term “encrypted” since, under California law, like other state data breach laws, notification is generally not required for breaches of information that is encrypted. The amendment defines “encrypted” to include data that has been rendered “unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.”  However, the statute does not specify any particular method or level of encryption that is required. 

Lastly, upon a security breach, existing law requires California businesses and agencies to issue a security breach notification meeting specific requirements, including that the notification be written in plain language. Senate Bill 570 imposes additional requirements on the formatting and language used for such security breach notifications.  The amendment requires the notification to be titled “Notice of Data Breach,” and it must present information under the following headings: “What Happened,” “What Information was Involved,” “What are we Doing,” “What You Can Do,” and “For More Information.”

California businesses and agencies must be attentive to the ever-changing notice requirements, as these amendments mark the third time in three years California has amended its Data Breach Notification Statute.  As we have discussed before, these changes highlight the importance of being prepared ahead of time before a breach occurs, which includes having data breach response plan in place that will help you timely comply with notice obligations like these.  We have created our FMG Cyber Toolkit to help our clients for this very reason.  Please contact one of our Cyber, Data Security, and Privacy practice group attorneys for more information about developing a plan for your organization.