California Amends its Data Breach Statute…Again
The California Legislature has again amended California's Data Breach Statute regarding the obligations of companies to disclose the breach of personal information stored in computerized data. (California Civil Code Section 1798.82) Prior to the amendment, the statute stated that anyone conducting business in California that owns or licenses computerized personal information data must disclose a breach in the security of the data to a California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
The amendment adds another element triggering the obligation to notify individuals of a security breach or suspected breach. Now, those conducting business in California are required to disclose a security breach of encrypted personal information where: 1) the encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person; and 2) the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person where there is a reasonable belief that the encryption key or security credential could render that personal information readable or useable.
Whereas the prior obligation to disclose a data breach related to unencrypted personal information, the amendment adds the element of data breaches related to the unauthorized acquisition of encrypted personal information. The definition of "personal information" is sufficiently broad, that most companies will be impacted by this amendment if such data is stored in a computerized format. Personal Information is defined as the individual's name with any of the following elements associated with it: social security number, driver's license number, account number, credit or debit card numbers, medical information, health insurance information or license plate information. Personal information also encompasses user name and password information such that access to an online account can be gained.
The reality today is that if encrypted personal information in a computerized format is the subject of a security breach, the party storing such data must look at multiple factors to determine if notification is necessary. There first must be a breach affecting encrypted personal information, as defined by the statute. If it is determined that personal information was in fact compromised, the party storing the data must analyze if the encrypted data can be accessed. If the corresponding encryption key has also been compromised and if the business has a reasonable belief that the stolen encryption key renders the encrypted information readable or useable, the individual must be notified pursuant to the statute's requirements.
California's Data Breach Statute adds another layer to conducting business within the borders of California, and impacts companies of all sizes if they store computerized personal information (whether encrypted or not).
Selman Breitman has the tools to help you navigate the Cybersecurity issues you and your business face online. Our experienced attorneys can help you respond in the event of a cyber incident, and develop information-security practices. View more information on our Cyber Law practice page.