January 1, 2017 Will See Broader Requirements
California’s data breach notification law is already considered the most stringent in the United States. Based on a new amendment recently signed into law, the law will soon get even tougher.
On September 13, 2016, Governor Jerry Brown signed AB 2828, which amends the state’s data breach notification law requiring businesses to disclose data breaches to individuals whose personal information has been compromised. Currently, the law only requires businesses to disclose breaches where “unencrypted” information is breached. Under the new amendment, however, businesses must soon disclose breaches even when “encrypted” information has been acquired in an unauthorized breach. Under the amended law, as of January 1, 2017, the notification obligation will be triggered where encrypted data is leaked together with the encryption key or security credential that “could render that personal information readable or useable.”
Prior to this amendment, the process of encryption provided businesses with a safe harbor from having to notify individuals whose private but encrypted data was leaked for whatever reason. Once effective, this amendment will mean that even data that has been converted into code so as to be readable only by those who have the encryption key to decode it falls under the broad terms of the disclosure law.
The law applies to all persons and businesses (including non-profits) that own or license computerized data, and will be effective January 1, 2017.
Compliance Challenges Await California Businesses
The principle underlying this amendment is not controversial. In fact, it arguably patches a conceptual hole that flawed the old law. However, this amendment presents an urgent compliance challenge for many businesses because the new law explicitly requires more data transaction points to be monitored.
Even before this amendment, California’s data breach law has always presented a significant challenge for employers: being able to quickly identify the extent of a data breach so as to avoid issuing a “false positive” notice to individuals whose data has not been breached. Successful management of this challenge can mean the difference between a quiet data security hiccup and a headline that portrays a breach of trust of millions of consumers. The amendment will only serve to complicate that challenge, especially for businesses that have not been monitoring access to data in its encrypted form.
What Should Employers Do Now?
Given the recent proliferation of spear phishing, ransom malware, and other hacking methods, the reality is that the occurrence of a data breach for any employer is not a matter of if but when. While even the most sophisticated and well-funded organizations still fall victim to data breaches, this should not discourage you from taking reasonable steps to identify potential security gaps and train staff on best practices for preventing data breaches.
In light of this amendment to California’s data breach notification law, you are encouraged to review your data security measures to ensure that a breach of encrypted data does not go unnoticed. If any revision to current monitoring or reporting systems is necessary, it may also be prudent to set new encryption keys across all company systems concurrently.
You should also consider additional steps such as establishing a security incident response team with protocols in place ready to triage a data breach when it happens, as well as conducting an annual security vulnerability audit and test simulations of a data breach.