California Beefs Up Encryption & Notice in Data Breach Law
On October 8, 2015, California Governor Jerry Brown signed A.B. 964 and S.B. 570 into law, a pair of bills that amended the Golden State’s data breach notification statute (Ca. Civ. Code § 1798.82). The amendments specifically define information that is “encrypted” so as to presumptively exclude it from notice and disclosure requirements, add additional notice format requirements for printed and emailed consumer breach notifications, and specify additional notice method requirements when consumers’ usernames or email addresses are specifically affected. Both bills also add information collected by automated license plate recognition systems to the statute’s definition of personal information, and slightly alter the requirements for substitute notice. While the definition of “encrypted” may help businesses determine just when consumer notification is required under California’s law, meeting the new format and method restrictions may make delivering any required notices all the more burdensome. Consequently, businesses that must comply with California’s revised statute following a data breach should review their notification procedures and practices and make any necessary changes before these amendments take effect on January 1, 2016.
What Do the Amendments Require?
The major change brought by A.B. 964 is that it defines information as “encrypted” if it is “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” Fortunately, this new definition is technology neutral and does not specify a particular encryption methodology. A breach of encrypted information is presumed to be outside of the statute’s data breach notification requirements, but the presumption is rebuttable, specifically so if the encryption code or method is also compromised. While California’s breach notification statute has had an encryption safe harbor since its inception, the meaning of “encrypted” was not previously specified. A.B. 964 should give companies that do business in California a bit of comfort by more precisely describing just what encryption practices will fall under the safe harbor.
S.B. 570 requires that the mandated content in a printed or emailed consumer notification be formatted and organized in a particular manner. Businesses will still have to provide notice in plain language, but will also have to title any document or email informing consumers of a breach as “Notice of Data Breach,” use at least 10-point font, and organize the content required by statute under the following “clearly and conspicuously displayed” headlines:
- “What Happened”;
- “What Information Was Involved”;
- “What We Are Doing”; and
- “What You Can Do.”
Other important information may be provided as a supplement. S.B. 570 further includes a breach notification template that will be automatically deemed in compliance with the new format requirements, serving as a safe harbor for businesses when providing notice.
According to the bill’s legislative history, the new format structure is designed to draw the reader’s attention to the nature and significance of the information in any notice they receive. But with more demands for specificity comes more complexity – and possibly more expense – for businesses when giving notice to consumers in multiple states. For instance, a typical breach often affects consumers in multiple states, but the type of notice demanded by California’s new law likely could not be used to inform consumers in Massachusetts, as that state’s notification statute expressly prohibits a company from informing consumers about the nature of a breach. Consequently, businesses will likely have to develop several different notice formats and implement methods to ensure that the right format of notice is sent to consumers in the right jurisdictions, potentially increasing the cost and time that it takes to inform consumers.
Both A.B. 964 and S.B. 570 include additional notice requirements when a consumer’s username or email address are the only personal information affected. Businesses and other entities may notify consumers of a breach via “electronic or other form” that affects only a consumer’s username or email address associated with an online account, along with the account’s password or security question and answer, by directing the consumer to:
- Promptly change the password and security question or answer associated with the account; or
- Take other appropriate steps to protect the affected online account, as well as other others for which the same username or email address might be used.
However, an entity may not use this same method when the login credentials of an email address provided by the entity itself are affected. Instead, it must provide notice via another method described under the statute or by “clear and conspicuous notice” delivered when the consumer is connected to the affected online account from a customary IP address or online location.
Finally, both bills amend the statute’s substitute notice provision by mandating that conspicuous posting of the notice on a business’s website must remain up for at least 30 days. Additionally, a link to the notice must be on the website’s homepage or first significant page and be in either a larger type than the surrounding text, in a contrasting type or font, or set off by marks calling attention to the link. Both bills also alter the definition of “personal information” to include information or data collected by an automated license plate recognition system, as defined in S.B. 34, a companion bill approved by Governor Brown on October 6, 2015.
Next Step for Businesses: Change Notification Policies and Procedures
Businesses and all other entities that are subject to Ca. Civ. Code § 1798.82 should welcome the more precise definition that A.B. 964 gives to “encrypted” information as this will give them a better ability to assess when their method of encrypting consumers’ personal information falls under California’s encryption safe harbor. However, the additional formatting requirements and restrictions surrounding notice when only consumers’ usernames and email addresses are breached may prove to be little more than a new procedural hurdle that businesses will need to clear, adding more complication to the already complex process of informing consumers across multiple states when a data breach might concern their information. Regardless, all entities will need to inspect their current data breach notice policies and procedures and ensure that they will be compliant once these changes take effect at the beginning of next year.
Please refer to Davis Wright Tremaine’s Summary of State Data Breach Notification Statutes and interactive heat map for current information on the data breach notification requirements in each of the states and territories. California’s summary will be updated when the amendments to its data breach notification statute go into effect on January 1, 2016.