- Starting in 2017, data breach notification will be required for instances when encrypted personal information of California residents has been breached and certain conditions are met, according to a recently amended state law.
Previously, California’s data breach notification law required organizations to notify individuals only if unencrypted personal information was, or was reasonably believed, to have been acquired by an unauthorized third party.
However, Governor Jerry Brown recently approved changes to Assembly Bill No. 2828, requiring instances of breached encrypted data to be part of the notification process.
The amended bill requires notification if encrypted data was breached by an unauthorized individual, or was believed to have been breached and if “the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the person, business.”
Also, if an “agency that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or useable,” then data breach notification must be sent out to potentially affected individuals.
Personal information is also defined as an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
- Social security number.
- Driver’s license number or California identification card number.
- Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
- Medical information.
- Health insurance information.
- Information or data collected through the use or operation of an automated license plate recognition system
Furthermore, a user name or email address, in combination with a password or security question and answer that would permit access to an online account, also fall under the bill’s definition of personal information.
“The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system,” the bill reads.
California Assemblymember Ed Chau authored AB 2828, and said that he was very happy that the governor was taking steps to help consumers keep their personal information protected and away from “criminals, thieves and hackers.”
“In an effort to protect consumers after a data breach, AB 2828 requires businesses and government agencies to notify affected consumers where encrypted personal information is disclosed and there is a reasonable belief that encryption keys or security credentials were also compromised and could render the breached information readable or useable,” Chau said in a statement on his website. “This bill will allow victims to take the necessary steps to protect themselves from fraud and identity theft before the data is used or sold by the hackers.
Just last year, California amended statewide regulations for data breach notification. Governor Brown signed a three bill package, which describe standards for data encryption, the language with which an entity provides data breach notification, and standards for defining personal information.
According to that earlier set of signed bills, properly encrypted data is “rendered unusable, unreadable or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.”