The Fall season often brings changes to California laws, and this year is no exception. Once again, the California Security Breach Disclosure Laws have been amended. During the first half of October, California Governor Jerry Brown signed three bills amending the State’s Security Breach Disclosure Laws. These amendments will be effective as of January 1, 2016.
New Category of Protected Information
The amendment resulting from the signature of SB 34 adds license plate information – specifically, “information or data collected through the use or operation of an automated license plate recognition system” – to the list of information deemed “personal information” protected under the Security Breach Disclosure Laws codified as Civ. Code Sections 1798.29 and 1798.82.
Definition of Encryption
Assembly bill AB 964, also signed into law by Governor Jerry Brown in early October, clarifies the meaning and scope of the term “encryption” used in the Security Breach Disclosure Laws. This is a welcome clarification, thirteen years after the enactment of the original law. During that period, the most common interpretation of the term “encryption” in the context of security breach disclosure laws was that it was intended to mean “strong encryption” as opposed to the use of passwords to limit access to a server.
The term “encrypted”data, under the AB 964 amendment, is defined as data that is “rendered unusable, unreadable or undecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” There is no indication of what criteria will be used to determine the extent to which a particular technology or methodology will be deemed “generally accepted” in the field of information security. Companies may consider turning to relevant publications by NIST, the US National Institute of Standards and Technology or standards established by well known organizations such as the International Organization for Standardization (ISO), an international standard setting body.
Required Format for Breach Notices
Finally, SB 570 amends the California Security Breach laws to require that a specific outline be used when preparing a Breach Disclosure Notices. While prior amendments to the California Security Breach Laws did specify the type of information that should be included in a breach notice, this amendment focuses on the readability of the document, provides a sequence in which the information must be provided, and the titles to be used for each section of the disclosure. The notice must be titled “Notice of Data Breach”. It must be broken into prescribed sections titled:
- “What happened”;
- “ What information was involved”;
- “What we are doing”;
- “ What you can do “; and
- “For more information”.
The affected entities are given the freedom to supplement this information.
The amendment also requires, among other things, that the format of the notice be designed to call attention to the nature and significance of the information that it contains. The font used must be not smaller than 10-point type. A sample form is provided in the bill.
These amendments will be effective as of January 1, 2016. That leaves ten weeks to companies subject to California disclosure laws to update their security incident response plans and forms, and adjust their practices to the new amendments.
- New California Right of Erasure
- New Disclosures Required under Cal. AB 370
- California Privacy Enforcement and Protection Unit Created