The California legislature has again amended the state’s breach notification statutes to impose new and unique requirements and refinements, adding further complexity to the patchwork of breach notification requirements. Through three bills described below, California has expanded the definition of “personal information,” clarified the meaning of “encryption” for purposes of the notification safe harbor, and specified formatting requirements for notices to affected individuals. The amendments, which extend to companies (Cal. Civ. Code § 1798.82) as well as government agencies (Cal. Civ. Code § 1798.29), will take effect January 1, 2016.

Continuing Expansion of “Personal Information”

Senate Bill 34 expands the definition of “personal information” triggering breach notification requirements to include “[i]nformation or data collected through the use or operation of an automated license plate recognition system.” This addition, unique among other states’ definitions of “personal information” in breach notification statutes, is likely in recognition of ever-increasing collection of information about driver practices, which can reveal significant amounts of historical location information. It remains to be seen whether other states will follow California’s lead as a number of states have done since California expanded the definition of “personal information” to include online account credentials in 2013, as we reported here.

Senate Bill 34 also requires reasonable security procedures and practices with respect to automated license plate recognition (“APLR”) information, and implementation of a usage and privacy policy satisfying specific requirements with respect to such data. Further, Senate Bill 34 provides for a civil cause of action with respect to violations of such requirements.

Refinement of Encryption Safe Harbor

In what appears to be a continuing effort to encourage a sufficient level of encryption of personal information, and to narrow applicability of California’s existing encryption safe harbor to those encryption methodologies generally accepted in the field of information security (a breach of encrypted data does not currently trigger a notification obligation under California law), Assembly Bill 964 provides a definition of “encryption,” as circumstances where information is rendered “unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.”

Specific Individual Notice Formatting Requirements and Model Form

Senate Bill 570 imposes new, specific requirements for the form of breach notification letters issued to affected individuals, including a requirement that such notifications be titled “Notice of Data Breach”; use no smaller than 10-point font; and include the following headings for existing required disclosures: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.” Senate Bill 570 also provides a model form of breach notification, use of which shall be deemed to be compliant with the new specific formatting requirements. The model form appears intended to provide individuals affected by a breach with a standardized presentation of information so that they can more easily determine what course of action to take following a breach.

Entities experiencing a multi-state breach impacting California residents will likely turn to California’s form to fulfill the requirements of the various states’ breach notification statutes, subject to the other states’ specific content requirements. Potential discord may arise if other states follow suit, unless adopt they model forms that are consistent with that provided in Senate Bill 570.

In addition, Senate Bill 570 specifies requirements for “conspicuous” website notice, where substitute notice is either permitted (over 500,000 individuals are to be notified and/or cost of notice exceeds $250,000) or required (insufficient contact information). Effective January 1, 2016 such website notice must be posted for a minimum of 30 days and satisfy specific format requirements designed to call attention to the notice.