California Revises Data Breach Notification Laws
California Governor Jerry Brown has signed into law three bills that revise California’s data breach notification requirements. The laws clarify important definitions, adjust notification requirements, and require operators of automated license plate recognition (“ALPR”) systems to adopt new security policies and record keeping procedures.
Assembly Bill 964 (A.B. 964), defines the word “encrypted” as used in the data breach notification law. “Encrypted” data under the new law must be “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” On the statute’s face, there is no further or more detailed description of encryption requirements. In 2014, the California Attorney General released a Data Breach Report recommending a number of ways data should be encrypted, including, for retailers, from the point of capture until completion of transaction authorization, and for the health care industry, full disk strong encryption, to the standard set by the National Institute of Standards and Technology (“NIST”). It also suggested protecting personal information in transit using FIPS 197, NIST’s standard approved for U.S. Government organizations to protect higher risk information.
Senate Bill 570 (S.B. 570) requires security breach notifications to be titled “Notice of Data Breach” and to present a variety of information, including “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.” The law includes a model security breach notification form to be completed in plain language. Conspicuous posting of the notice is required on the notifying entity’s web site for a minimum of 30 days. There must be a link to the notice on the entity’s home page that is more noticeable (based on font, size, color, and other attributes specified in the law) than the surrounding text.
All three laws become effective on January 1, 2016.