Earlier this year, California Governor Jerry Brown signed into law AB 2828, an amendment to the state’s data breach notification law. This amendment, which takes effect January 1, 2017, changes the circumstances under which an entity must disclose a breach to affected individuals.
Currently, the state’s breach notification law (California Civil Code section 1798.82 for businesses and 1798.29 for state agencies) requires that individuals be notified when unencrypted personal information is compromised. In the amended law, notification may also be required even when the information is encrypted.
Effective January 1, 2017, notification can be triggered for incidents where:
- Unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person; or
- Personal information is encrypted, but the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the entity that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or useable.
Overview: California AB 2828, Effective January 1, 2017
Highlights include:
- Addition of a breach notification trigger for encrypted personal information
- Addition of the definition of encryption key and security credential
Additional reading:
- Fisher Phillips: California Expands Data Breach Notification Law
- National Law Review: California Amends Its Data Breach Notification Law…Again
- Privacy Law Blog: California Amends Data Breach Notification Law to Require Notification of Breach of Encrypted Personal Information When Encryption Key Has Been Leaked
No longer exceptional: more specifically defined encryption exceptions
Data encryption is considered a best practice in data security, and encrypted information has been widely considered “safe” if compromised – until recently. AB 2828 indicates a growing trend that encryption may no longer be a safe harbor or blanket exception from notification requirements.
What this means for privacy and security teams
As the first state to enact a breach notification law, California continues to be a model of stringency. AB 2828 will require even greater diligence from privacy and security teams in determining if an incident involving encrypted information requires notification to affected individuals.
“Successful management of this challenge can mean the difference between a quiet data security hiccup and a headline that portrays a breach of trust of millions of consumer. The amendment will only serve to complicate that challenge, especially for businesses that have not been monitoring access to data in its encrypted form.”
If you’re a RADAR customer, the RADAR regulatory team continuously tracks changes in data breach notification laws for you. You can also expect to see changes in data breach notification laws applied in RADAR the same date the law goes into effect.
Related articles: