On October 6, 2015, California Governor Jerry Brown signed three bills amending California's breach notification statute. The first bill, A.B. 964, adds a definition for the word "encrypted" in California's breach notification statute. The Act defines "encrypted" as data that is "rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security." The second bill, S.B. 570, adds content requirements for the notices that must be sent to consumers following a data breach. Specifically, it requires that the notices be titled "Notice of Data Breach" and contain the following sections: "What Happened," "What Information Was Involved," "What We Are Doing," "What You Can Do," and "For More Information." The bill also includes a model breach notification form. The third bill, S.B. 34, provides that information collected using an automated license plate recognition system constitutes personal information for the purposes of California's breach notification statute when such information is not encrypted and is used in combination with an individual's name. The bill further provides that automated license plate recognition operators and end-users must implement security procedures and practices as well as privacy policies. The new laws take effect on January 1, 2016.
On October 8, 2015, Governor Brown also signed the California Electronic Communications Privacy Act, S.B. 178. The new law requires a search warrant, or other judicial authorization, for law enforcement to require a service provider to produce or provide access to an individual's electronic communication information or electronic device information. The Act defines "electronic communication information" to include both the content of a communication and its metadata. It further defines "electronic device information" to include any information stored on or generated through the operation of an electronic device, including the current and prior locations of the device. The Act does not prevent state law enforcement from requiring the originator or intended recipient of an electronic communication to disclose any electronic communication information. It also does not prevent state law enforcement agencies from requiring an entity that provides electronic communication services to employees for work purposes to disclose electronic communication information, nor does it prohibit law enforcement from using a subpoena to obtain subscriber information from a service provider. The new law becomes effective on January 1, 2016.