Data Breach Laws in California Updated

Data breach laws in California have been updated following the signing of three new bills by California Governor Jerry Brown. The new bills were passed as a single package, and will come into effect on January 1, 2016.

The new bills – Assembly Bill 964 (A.B. 964), Senate Bill 570 (S.B. 570) and Senate Bill 34 (S.B. 34) – are intended to clarify data breach laws in California, and provide further explanations on data encryption, the issuing of data breach notices, as well as expanding the definition of “personal information” under California Law.

New Data Encryption Definition

There are a number of data encryption standards and methods of encrypting data to prevent accidental or deliberate disclosure. However, not all encryption methods offer the same level of protection. One of the new bills introduced last week helps to clarify what is meant by “encryption” in California.

Assembly Bill 964 confirms that encryption means information is “rendered unusable, unreadable or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security. This definition will apply to all data breach legislature in California from January 2016 onward.

Notices of Data Breaches

The issuing of data breach notifications following the exposure of the personal information of California residents has been a requirement for some time under state laws, but it was felt that the language used in breach notification letters needed to be tightened and standardized. Senate Bill 570 also stipulates the exact information that must be included in notification letters.

This will ensure that California residents are given all the information they need to make an informed decision about the actions they should take to address risks resulting from the exposure of their data.

The new data breach law requires organizations, companies and individuals who record or store the personal information of state residents to issue notifications to all victims. Those notifications must be entitled “Notice of Data Breach,” and should detail the exact information exposed, how the security incident occurred, what the entity suffering the data breach is doing in order to mitigate risk and prevent future incidents, and the actions data breach victims can take to mitigate risk. An example data breach notice is included in the bill which includes headings under which information must be entered.

The new bill requires a data breach notice to be issued in “the most expedient time possible and without unreasonable delay.” The notices must be written in plain language so as not to cause confusion.

Under California law, data breach notices can be issued by mail, but also electronically; provided the notices are “consistent with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 of the United States Code.”

A substitute notice can be issued “if the agency demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000), or that the affected class of subject persons to be notified exceeds 500,000, or the agency does not have sufficient contact information,” although rules are stipulated covering how the notices should be issued.

Definition of Personal Information

Data breach notices must be issued when certain data elements are exposed or compromised. Different states have different definitions of “personal information” and these are frequently updated. California state data breach laws were updated in 2013; although new data elements have now been included following the passing of S.B. 34.

Senate Bill 34 expands the definition to also include data captured and recorded by Automated License Plate Recognition Systems (ALPR), and sets a number of new requirements for users/operators of those systems.

“Personal Information” Definition in California

1. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

  • Social security number.
  • Driver’s license number or California identification card number.
  • Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
  • Medical information.
  • Health insurance information.
  • Information or data collected through the use or operation of an automated license plate recognition system, as defined in Section 1798.90.5.

2. A user name or email address, in combination with a password or security question and answer that would permit access to an online account.

The description of Medical Information is detailed in the bill as being “any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.”

Health Insurance information is defined as “an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records.”

Personal information does not include any data that is publicly available or is “lawfully made available to the general public from federal, state, or local government records.”

The new bill also introduces a new private right of action which will enable data breach victims to take legal action against individuals or companies that have exposed their personal information, which from January 1, 2016, will also include the unauthorized use of Automated License Plate information.