Joining Illinois as the second state to have an amendment to its breach notice law effective in 2017, California recently amended its data breach notification law for the sixth time. The new modification is relatively minor, and follows other states Illinois, Nebraska, Nevada, and Tennessee that have recently modified their notice laws with respect to breaches of encrypted information.
Under the amendment, information that was encrypted will be considered breached if it is acquired along with a key or credential that “could render the personal information readable or usable.” From a practical perspective, this doesn’t change much for companies that have nationwide approaches to breach notification, as this language is similar to that in other states including Alaska, Hawaii, Indiana, Iowa, Massachusetts, Michigan, Minnesota, Nebraska, New Hampshire, New York, North Carolina, Oklahoma, Oregon, Pennsylvania, Rhode Island Texas, Virginia, Washington, and West Virginia. More troubling is the continuing desire of state legislatures to continually modify and tweak their breach notice laws.
TIP: Companies should keep in mind that state legislatures continue to tweak and modify their breach notification laws. This California law is simply the most recent example.