California Strengthens Data Breach Notification Law, Again


By: : Kacie L. Manisco

On January 1, 2017, California’s data breach notification law will become even more stringent than it already is, requiring notification to individuals in some instances when encrypted personal information has been breached.

California’s current data breach notification law requires agencies, persons, and companies that conduct business in California, and that own or license computerized data that includes personal information (“Covered Entities”) to notify individuals whose personal information has been compromised, only where unencrypted information has been accessed.  This mirrors the majority of other data breach notification laws that provide a safe harbor for encrypted data that is lost or stolen.

The amendments to California’s law, however, will now require Covered Entities to provide notification of a breach to affected individuals whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person if “the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the person, business, or agency that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or useable.”  In other words, beginning on January 1, there will no longer be a safe harbor in California for a breach of encrypted data if the Covered Entity knows or has a reasonable basis for believing that the unauthorized person also gained access to the encryption key.

In light of these changes, Covered Entities should review their data security measures and response plans to ensure that they are prepared for and can respond efficiently to a data breach, and detect when one occurs. All organizations also must be attentive to the ever-changing notice requirements under state and federal data breach notification laws.  Indeed, this amendment marks the sixth-time that California has amended its data breach notification statute since its inception in 2002.  Working with experienced and knowledgeable cyber attorneys is important in that regard, and the attorneys in our Cyber Liability, Data Security & Privacy team keep up to date on all of these changes and other developments in the law. Please contact us to discuss how we can help your organization.

For any questions you may have please contact Kacie Manisco at [email protected].