Why it matters

The first state to enact data breach notification legislation, California has now updated Civil Code Section 1798.82 with three new bills signed into law by Governor Jerry Brown. Specifically, Senate Bill 570 added requirements to the existing data breach notification bill with rules about the format of a data breach notice, such as mandatory title and headings, a design to call attention to the "nature and significance" of the information contained, and text in at least 10-point type. The legislation included a model form that, if used, will be deemed compliant under the statute. Two other bills made definitional changes impacting the scope of data covered by the notification bill. Under existing law, a breach occurs only if the compromised personal information was not encrypted. Assembly Bill 964 defined "encrypted" while Senate Bill 34 expanded the scope of "personal information" to include the use or operation of an automated license plate recognition system. Businesses should prepare themselves for the new laws, which take effect January 1, 2016.

Detailed discussion

In 2002, California became the first state to enact legislation requiring that a company provide notice to affected consumers in the event of a data breach. Since then, 46 other states and the District of Columbia have followed suit, while dozens of bills attempting to establish a national standard have flamed out in Congress.

Continuing its focus on privacy and data security issues, the state has amended its legislation with three new bills signed into law by Governor Jerry Brown on October 6.

Under current law, the state mandates that the "plain language" notice provided to affected consumers include the name and contact information of the notifying entity; a list of the types of personal information subject to the breach; the date of the breach; whether notification was delayed because of a law enforcement investigation; the phone numbers and addresses of the major credit reporting agencies if the breach involved Social Security, driver's license, or California identification card numbers; and in cases where identity theft and mitigation services are being offered by the notifying entity, all necessary information to take advantage of that offer.

Senate Bill 570 added new notice requirements with respect to formatting. The notice must be titled "Notice of Data Breach" and the required content for the notice must be set forth under specific headings: "What Happened," "What Information Was Involved," "What We Are Doing," "What You Can Do," and "For More Information." If an entity wants to provide additional information, it may do so with a supplement to the notice.

The notice must be designed to call attention to the "nature and significance" of the information contained, with title and headings "clearly and conspicuously" displayed, using at least 10-point text. Entities that use a model security breach notification form included in the legislation will be deemed compliant.

Certain entities are permitted to provide substitute notice under Civil Code Section 1798.82, where the notification cost would exceed $250,000, more than 500,000 individuals are affected, or the business lacks sufficient contact information. S.B. 570 also tweaked the notice requirements in these circumstances.

Notice via a conspicuous website posting must be visible for at least 30 days, with "conspicuous" defined as "providing a link to the notice on the home page or first significant page after entering the web site, in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the link."

If the breach affected usernames or e-mail addresses in combination with passwords or security questions and answers—with no other personal information impacted—an electronic notice directing consumers to change their password and security questions and answers will suffice. Notice via e-mail is not permitted, however, where the breach affected usernames or e-mail addresses for login credentials of an e-mail account provided by the entity. Instead, a different format such as written or "clear and conspicuous" notice when the consumer is connected to the online account from an IP address or online location recognized by the entity must be utilized.

A second measure, Assembly Bill 964, established a definition of the term "encrypted." A breach occurs under California law only if the compromised personal information was not encrypted, now defined as "rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security."

Finally, Senate Bill 34 amended the statutory definition of "personal information" to incorporate "information or data collected through the use or operation of an automated license plate recognition system." Operators and end users of an automated license plate recognition (ALPR) system must maintain reasonable security procedures and practices (including operational, administrative, technical, and physical safeguards), per the new law, intended to protect ALPR information. In addition, a usage and privacy policy—addressing the collection, use, maintenance, sharing, and dissemination of information—must be established.

The new law also permits individuals to bring a civil action against ALPR operators and end users for violations of the statute, with actual damages up to $2,500, plus punitive damages, attorneys' fees and costs, and equitable relief.

To read S.B. 570 and view the model form, click here.

To read A.B. 964, click here.

To read S.B. 34, click here.