On October 6, California Governor Jerry Brown signed legislation updating California’s data breach notice statute for the third time in three years. The news was quickly overshadowed by the CJEU’s decision invalidating the US-EU Safe Harbor Framework
on the same day, but the California law amendments should not be overlooked. The amendments, which update Cal. Civ. Code § 1789.29 (for state agencies) and § 1789.82 (for businesses), were part of a legislative “package deal” of three separate bills mandating a new breach notice format (S.B. 570
), defining “encryption” (A.B. 964
), and expanding the definition of “personal information” and clarifying substitute notice requirements (S.B. 34
). The amendments will take effect on January 1, 2016.
New Breach Notice Format
California’s existing data breach statute already prescribed some of the information that must be contained in a data breach notice made to California residents. Now, however, the law as updated by S.B. 570 spells out the precise form in which such notice must be provided to ensure that the notice is “designed to call attention to the nature and significance of the information it contains.” Specifically, the amendment requires notices to be written in “plain language” and entitled “Notice of Data Breach
.” The amendment also requires the notice to be broken into specific sections entitled: “What Happened
,” “What Information Was Involved
,” “What We Are Doing
,” “What You Can Do
,” and “For More Information
.” Finally, the statute requires that the notice be provided in “no smaller than 10-point type.” The amendment helpfully provides a template that will satisfy the new format requirements. These new formatting requirements provide yet another hurdle companies must address when faced with a national (or global) breach that triggers notice under multiple, conflicting laws.
Meaning of “Encryption” Clarified
The second bill in the package, A.B. 964, clarifies that “‘encrypted’ means rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” Under the existing iteration of the statute, the loss of encrypted data would not trigger notification obligations, but the failure of the statute to specifically define “encryption” created some uncertainty. Note that in 2012, the California AG published non-binding guidance stating that “[d]ata encryption should meet the National Institute of Standards and Technology’s Advanced Encryption Standard” (AES). Presumably, the AES standard would satisfy the updated law, but AES is not the only
generally accepted methodology (or technology) which could be used in all contexts. That said, companies should give careful thought before deploying customized or proprietary solutions that may not be supported or even contemplated by security industry practitioners.
S.B. 34 updates the definition of “personal information” to include “[i]nformation or data collected through the use or operation of an automated license plate recognition system” in the list of data elements requiring notice if breached. Last, the new legislation clarifies the steps a company must take to provide “substitute notice” in the event that notice is required to be made to more than 500,000 state residents, would cost in excess of $250,000, or the company has insufficient contact information. Previously, “substitute notice” required (i) email notice to residents for whom the company had a valid email address, (ii) “conspicuous” posting on the company’s website, and (iii) notification of statewide media. The updated law specifies that “conspicuous” posting on the website “means providing a link to the notice on the home page or first significant page after entering the Internet Web site that is in larger type than the surrounding text, or is in contrasting type, font or color to the surrounding text of the same size, or set off from other type by symbols or other marks that call attention to the link.” Moreover, the notice must be posted to the website for a minimum of 30 days.
The Race to Regulate Data Breach Notice Requirements
California is often at the vanguard of state regulation on consumer privacy and security issues, particularly with regard to breach notification obligations. 2015 was already a busy year for revamps to state notification laws across the country, many of which were at least partially in response to California’s 2014 update. We expect other states to follow California’s lead in revising—or re-revising—their own laws in 2016. Companies are well advised to keep abreast of these developments, and to update their incident response plan appendixes accordingly.