December 17, 2015
Earlier this year, California Governor Brown signed legislation effective January 2016 which will update and refine California data breach notification and encryption laws, codified in Civil Code sections 1798.29 and 1798.82. As outlined here, these are changes that your business needs to be aware of, and which confirm California’s continued status as a leader on these rapidly developing issues.
Assembly Bill 964 removes some uncertainty regarding the term “encrypted” as that term is used in the current data breach notification statute. The term was previously undefined. As clarified, personal information is “encrypted” if it can be “rendered unusable, unreadable or indecipherable to an unauthorized person through a security technology generally accepted in the field of information security.” The change permits encryption methods to develop along with rapidly developing technology, and does not require the use of any particular type of technology or encryption method.
Senate Bill 570 provides some standard language to be used in printed or emailed security breach notifications. Effective 2016, security breach notifications must be titled “Notice of Data Breach” and include information under the following headlines: “What Happened,” “What Information was Involved,” “What are We Doing,” What You Can Do,” and “For More Information.” (Minimum 10-point font must be used). A model for breach notification will be included in the statute. Following a data breach, use of the model form will be presumed to be compliant with the notification statute. (Caution should be used if notifications involving more than one state because state laws differ.) The rationale behind this particular update is to make it clear to the reader the nature and importance of the information which is included, and to make it easier for an organization to understand what information must be communicated.
Both of the new laws include additional notice requirements if a consumer’s username or email address is the only information that is the subject of the breach. In those circumstances, notification can be communicated via “electronic or other form” that affects only a consumer’s username or email address associated with an online account, coupled with the account’s password or security question and answer, by instructing the consumer to promptly change the password and security question or answer or to take other appropriate steps to protect the account. However there are some limitations on this type of notification if the login credentials of an email address are themselves affected.
Both bills also amend the statute’s substitute notice provision by mandating that conspicuous posting of the notice on a business’ website must remain up for at least 30 days and the link must be on the website’s home page or first significant page and be in a larger type than the surrounding text, in a contrasting type of font, or set off by marks calling attention to the link.
In summary, these changes should be a welcome clarification for businesses seeking guidance both prior to and after a data breach. These laws are another indication that California is at the forefront of data protection and security.
We will continue to monitor both state and federal laws that impact these issues. Should you have any questions or concerns about this new legislation, please contact one of the authors.