By J. Scott Miller, Klinedinst PC.
Cybersecurity breaches and attacks on personal data and information have become more frequent and sophisticated. According to a recent California State Auditor’s report, no entity is immune: retailers, financial institutions, government agencies and all manner of businesses and corporations, small and large, have fallen prey to hackers and cyber thieves.
Among the new cybersecurity laws of 2016 that directly affect California’s businesses are three important new revisions to California’s data breach notification statute. (See Cal. Civ. Code §§ 1798.29(a) and 1798.82(a).)
California’s data breach notification law, which dates back to 2003, was the first of its kind among the states. It requires business to notify California residents “in the most expedient time possible” after learning of a cybersecurity breach that their affected personal information “was, or is reasonably believed to have been, acquired by an unauthorized person.” The new legislation, which takes effect January 1, 2016, will amend California’s data breach notification requirements as follows:
New Requirements for Breach Notification Letters
Under SB 570, data breach notices must be titled “Notice of Data Breach” and must display the following headings:
- “What happened”
- “What information was involved”
- “What we are doing”
- “What you can do”
- “For more information”
The notice title and the headings above must be “clearly and conspicuously displayed,” the format of the notice must “be designed to call attention to the nature and significance of the information it contains,” and the text of this and any other related notice cannot be smaller than 10-point type.
This headings requirement is entirely new, and offers a conspicuously-worded, detailed template to clarify the type and quality of notice contemplated by the statute. Before this revision, an affected entity only needed provide notice that was “written in plain language.” As before, the notice, at a minimum, still must provide (1) the name and contact information for the entity reporting the breach, (2) a list of the types of information there were reasonably believed to have been breached, (3) the date, estimated date, or date range of the breach, if known, (4) whether the notification was delayed due to a law enforcement investigation, if that can be determined, (5) a general description of the breach incident, if that information can be determined, and (6) the toll-free numbers and addresses of the major credit reporting agencies, if the breach exposed a social security number or California driver’s license or identification number. Additionally, at the entity’s discretion, the notice may also include information about what the entity has done to protect individuals whose information has been breached, and advice on steps that an affected individual may take to protect himself or herself.
The new provision also contains a helpful model security breach notification form to demonstrate what California deems compliant with these requirements. The form, as stated in the statute, is as follows:
The Attorney General’s website maintains additional forms, laws, procedures and related information regarding the data breach reporting requirements for businesses in California.
A single letter can meet these requirements. However, given that many companies conduct business online or by mail order to non-California residents, businesses need to be aware of other states’ data breach notification laws as well. Businesses will need to assess whether these notice requirements comply with other states’ laws or whether multiple notices will be required.
New Definition of “Encrypted”
Under AB 964, “encrypted” information is now defined for purposes of California’s data breach notification law as any information that is “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information technology.” (See, Cal. Civ. Code section 1798.29(h)(4).) This definition is also entirely new, and attempts to provide some much needed clarity, given that “unencrypted” information remains subject to the data breach notification requirements, while “encrypted” information is not.
Unfortunately, though, the clarity offered by this new definition is quite limited. The amendment does not specify any particular encryption methodology, and offers little or no guidance as to what type of “security technology or methodology” is “generally accepted” in the information technology field, sufficient to meet this requirement. Given the rapidly changing nature of encryption technology, what the IT field “generally accepts” can reasonably be expected to change over time. If the encryption technology a business is using at the time of a breach turns out not to be “generally accepted,” the business will be required to provide notification of the breach to California consumers under Cal. Civ. Code 1798.29(a), as outlined above. Expect to see some litigation over this and related issues in the near future.