On October 6, 2015, California Governor Jerry Brown signed into law several changes to California’s Data Breach Notification Statute. The law, as amended, adds additional categories of information into the definition of Personal Information, new content requirements for data breach notifications (together with a new form that when used properly will be deemed compliant with the new requirements), and a new definition of “encryption.” The amendment becomes effective as of January 1, 2016.
Impact to Business
The amended law impacts businesses and people that conduct business in California with an expansion of the definition of Personal Information that would trigger a breach notification response, provides a new definition of “encryption,” and sets forth new obligations for notification of individuals affected by a breach of security. Businesses will now need to ensure that their breach notifications adhere to the specific title and heading requirements of the amended laws. For printed notifications, it is advisable to use the form provided by the amended law to aid compliance (see below).
The expanded definition of Personal Information includes data or information collected through automated license plate recognition systems. Persons or businesses that collect this type information should ensure that they adequately protect and only disclose this type of information in compliance with the amended law.
Persons or businesses that use “home grown” or other non-standard methods not generally accepted in the field of information security for encrypting information may need to move to a standard encryption algorithm in order to comply with the exclusions to Personal Information for encrypted data elements under the new definition of “encryption."
New Notification Content Requirements
The amended law modifies California Civil Code 1798.82 (applicable to businesses) and California Civil Code 1798.29 (applicable to California Agencies) by requiring the title of a breach notification read “Notice of Data Breach.” In addition, all such notification must contain the following headings:
- “What Happened”
- “What Information Was Involved”
- “What We Are Doing”
- “What You Can Do”
- “For More Information”
In addition to the above required elements, one is permitted to provide any additional information as a supplement to the notice. The notice is required to be formatted to call attention to the nature and significance of the information it contains, and the title and headings must be clearly and conspicuously displayed. Persons or businesses must provide the notice using at least 10-point type.
For printed notifications, the amended law provides a form, which when used and completed with the required information written in plain English, will be deemed compliance with the amended law. This form is presented below:
Click here to view the table
For permitted electronic notifications, in addition to writing the notification in plain English, companies can comply with the amended law by using the required title and headings in their electronic notification. For permissible online notifications on the business’ website, a link to the notice on the home page or first significant page after the home page that is larger than the surrounding text, contrasting in font or color, or otherwise set off from the surrounding text by symbols or marks that call attention to the link to the notice is required.
New Definition of Personal Information
As described above, the amended law also adds an additional category of information to the definition of Personal Information. Starting January 1, 2016, Personal Information will include information or data collected through the use or operation of an Automated License Plate Recognition system (ALPR system), as defined in the concurrently-enacted SB 34 to mean a “searchable computerized database resulting from the operation of one or more mobile or fixed cameras combined with computer algorithms to read and convert images of registration plates and the characters they contain into computer-readable data.” Businesses that deploy these types of systems will need to ensure that the information and data collected are properly protected and not disclosed to unauthorized third parties.
New Definition of Encryption
The amended law also adds a definition of “encrypted” to mean “rendered unusable, unreadable, or indecipherable to an unauthorized person through security technology or methodology generally accepted in the field of information security.” This new definition will require companies who may have used custom, non-standard solutions to argue that unauthorized disclosure was not subject to the data breach notification requirements to update their encryption technology with generally accepted encryption methods. This new requirement is similar in nature to Washington State’s amended law, but stops short of suggesting the new of NIST standard encryption methods.
The amended law marks the continued enhancement of breach notification laws enacted be a number of states this year. The law as amended will require some businesses to protect additional categories of data or information they own or license, and may require changes to some persons’ or business’ encryption methodology it uses to protect information. In the event of a breach, the new law requires that persons or businesses comply with the new content requirements when they issue any required breach notifications to affected individuals.