The Fall season often brings changes to California laws, and this year is no exception. Once again, the California Security Breach Disclosure Laws have been amended. During the first half of October, California Governor Jerry Brown signed three bills amending the State’s Security Breach Disclosure Laws. These amendments will be effective as of January 1, 2016.
New Category of Protected Information
The amendment resulting from the signature of SB 34 adds license plate information – specifically, “information or data collected through the use or operation of an automated license plate recognition system” – to the list of information deemed “personal information” protected under the Security Breach Disclosure Laws codified as Civ. Code Sections 1798.29 and 1798.82.
The amendment also creates Civ. Code Sections 1798.90.50 to 1798.90.55. New Section 1798.90.50 will require “automated license plate recognition end-users” or “ALPR end-users” to implement a usage and privacy policy in order to ensure that the collection, use, maintenance, sharing and dissemination of the ALPR information is consistent with California’s respect for individuals’ privacy and civil liberties. The resulting usage and privacy policy must be made available to the public in writing, and be posted conspicuously on the website (if any) of the ALPR end-user.
SB 34 identifies minimum requirements for the content of the required privacy policy. Among other things, the privacy policy must identify the methods used to ensure the security of the information and compliance with privacy laws. Individuals who have been harmed by violations of these provisions, including breach of security and unauthorized access to, or use of, their information, are granted a private cause of action giving them the right to bring civil action against any person who knowingly caused the harm.
Definition of Encryption
Assembly bill AB 964, also signed into law by Governor Jerry Brown in early October, clarifies the meaning and scope of the term “encryption” used in the Security Breach Disclosure Laws. This is a welcome clarification, thirteen years after the enactment of the original law. During that period, the most common interpretation of the term “encryption” in the context of security breach disclosure laws was that it was intended to mean “strong encryption” as opposed to the use of passwords to limit access to a server.
The term “encrypted”data, under the AB 964 amendment, is defined as data that is “rendered unusable, unreadable or undecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” There is no indication of what criteria will be used to determine the extent to which a particular technology or methodology will be deemed “generally accepted” in the field of information security. Companies may consider turning to relevant publications by NIST, the US National Institute of Standards and Technology or standards established by well known organizations such as the International Organization for Standardization (ISO), an international standard setting body.
Required Format for Breach Notices
Finally, SB 570 amends the California Security Breach laws to require that a specific outline be used when preparing a Breach Disclosure Notices. While prior amendments to the California Security Breach Laws did specify the type of information that should be included in a breach notice, this amendment focuses on the readability of the document, provides a sequence in which the information must be provided, and the titles to be used for each section of the disclosure. The notice must be titled “Notice of Data Breach”. It must be broken into prescribed sections titled:
- “What happened”;
- “ What information was involved”;
- “What we are doing”;
- “ What you can do “; and
- “For more information”.
The affected entities are given the freedom to supplement this information.
The amendment also requires, among other things, that the format of the notice be designed to call attention to the nature and significance of the information that it contains. The font used must be not smaller than 10-point type. A sample form is provided in the bill.
These amendments will be effective as of January 1, 2016. That leaves ten weeks to companies subject to California disclosure laws to update their security incident response plans and forms, and adjust their practices to the new amendments.
- Meet the Upcoming California Privacy Rights Act (CPRA)
- CCPA – California Consumer Privacy Act – A Primer
- New California Right of Erasure