Earlier this year, California Governor Jerry Brown signed into law AB 2828, an amendment to the state’s data breach notification law. This amendment, which takes effect January 1, 2017, changes the circumstances under which an entity must disclose a breach to affected individuals.  

Currently, the state’s breach notification law (California Civil Code section 1798.82 for businesses and 1798.29 for state agencies) requires that individuals be notified when unencrypted personal information is compromised. In the amended law, notification may also be required even when the information is encrypted.

Effective January 1, 2017, notification can be triggered for incidents where:

  • Unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person; or
  • Personal information is encrypted, but the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the entity that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or useable.

California Notification Law Update

Overview: California AB 2828, Effective January 1, 2017

Highlights include:

  • Addition of a breach notification trigger for encrypted personal information
  • Addition of the definition of encryption key and security credential

Additional reading:

No longer exceptional: more specifically defined encryption exceptions

Data encryption is considered a best practice in data security, and encrypted information has been widely considered “safe” if compromised – until recently. AB 2828 indicates a growing trend that encryption may no longer be a safe harbor or blanket exception from notification requirements.

What this means for privacy and security teams

As the first state to enact a breach notification law, California continues to be a model of stringency. AB 2828 will require even greater diligence from privacy and security teams in  determining if an incident involving encrypted information requires notification to affected individuals.

“Successful management of this challenge can mean the difference between a quiet data security hiccup and a headline that portrays a breach of trust of millions of consumer. The amendment will only serve to complicate that challenge, especially for businesses that have not been monitoring access to data in its encrypted form.”

Usama Kahf and John Lai of Fisher Phillips,

If you’re a RADAR customer, the RADAR regulatory team continuously tracks changes in data breach notification laws for you. You can also expect to see changes in data breach notification laws applied in RADAR the same date the law goes into effect.

Related articles: