Once again, California has amended its data breach notification laws, this time to remove a safe harbor pertaining to encrypted data. Under the statutes currently in effect, businesses are only required to notify California residents of data breaches that compromise unencrypted personal information. Under the amendment, however, notification obligations will also trigger when a data breach affects encrypted personal information, but only if the corresponding encryption key or security credential has also been comprised and if the business has a reasonable belief that the acquisition of any such encryption key or security credential could render the encrypted personal information readable or usable. The amended law also clarifies that the terms "encryption key" and "security credential" mean "the confidential key or process designed to render data usable, readable, and decipherable." The full text of California's amended data breach notification law, which was approved by Governor Jerry Brown on September 13, 2016, and which will take effect on January 1, 2017, is available here.
- How-to guide How-to guide: How to ensure compliance with the GDPR (UK)
- How-to guide How-to guide: How to deal with a GDPR data breach (UK)
- How-to guide How-to guide: How to deal with an ICO dawn raid (UK)