California law generally does not require notice of a breach involving encrypted data, but the law never previously defined “encrypted.” A.B. 964 now defines “encrypted” as “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” While this definition does not mandate a specific encryption methodology, as a practical matter a company may want to consider whether its security measures are generally accepted before adopting them. For example, a proprietary encryption mechanism that does not incorporate a generally accepted technology or methodology may not be eligible for exemption under California’s notification law.
S.B. 34 expands the definition of “personal information” to include license plate information or data collected through an automated license plate recognition system when that information is used in combination with an individual’s name. California is the first state to include license plate information as personal information.