California adopted the first breach notification statute in the nation, and prides itself at being in the forefront of consumer privacy and security issues. On October 6, 2015, for the third time in the past three years, California Governor Jerry Brown signed legislation updating California’s data breach notice statute. The amendments, which cover both state agencies and businesses, were part of a legislative package of three separate bills mandating a new breach notice format, defining encryption, expanding the definition of personal information, and clarifying substitute notice requirements. The amendments will take effect on January 1, 2016.
New Breach Notice Form
California law now spells out the precise form in which such notice must be provided to ensure that the notice is “designed to call attention to the nature and significance of the information it contains.” Specifically, the amendment requires notices to be written in “plain language” and entitled “Notice of Data Breach.” The amendment also requires the notice to be broken into specific sections entitled: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.” The amendment includes a template that satisfies the new format requirements. While the format is helpful guidance, it will create even more confusion when a company is faced with a national or global breach that triggers notice under multiple, conflicting laws.
Defining “Encryption”
California law has long exempted encrypted information from notice requirements – that is, where data is encrypted, the affected company may not be required to notify constituents of the breach. The rub has been that the failure of the statute to specifically define “encryption” created some uncertainty. California law now defines “encrypted” to mean “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” This is in tension with a statement issued by the California Attorney General in 2012 which said that “[d]ata encryption should meet the National Institute of Standards and Technology’s Advanced Encryption Standard”. While the AES standard would, presumably, meet the requirements of the new law, there are now and will likely be other generally accepted methods of encryption. At the same time, companies should pause before deploying new, customized or proprietary solutions that may not be considered “generally accepted” to security industry practitioners.
Personal Information
In a matter most applicable to public agencies, the new law updates the definition of “personal information” to include “[i]nformation or data collected through the use or operation of an automated license plate recognition system” in the list of data elements requiring notice if the system is breached.
Notification Requirements
Finally, the new law clarifies the steps a company must take to provide “substitute notice” if the company must notify more than 500,000 state residents, or if the notice would cost in excess of $250,000, or if the company does not have adequate contact information to reach all affected parties. Under prior law, “substitute notice” required (i) email notice to residents for whom the company had a valid email address, (ii) “conspicuous” posting on the company’s website, and (iii) notification of statewide media. The updated law specifies that “conspicuous” posting on the website “means providing a link to the notice on the home page or first significant page after entering the Internet Web site that is in larger type than the surrounding text, or is in contrasting type, font or color to the surrounding text of the same size, or set off from other type by symbols or other marks that call attention to the link.” The notice must be posted to the website for a minimum of 30 days.
2015 has been a busy year, both for data breaches and for laws addressing those breaches. Since California is a leader in the field, we can expect additional changes nationwide, further complicating the response to a data breach. For those companies that have adopted data breach policies (and we highly recommend that they do), attention should be given to updating those plans, and monitoring further developments.