Businesses and government entities have been subject to data security breach notification requirements under California law for decades. In 2002, California was the first country worldwide to pass a law requiring businesses and agencies to notify data subjects of data security breaches. Since then, California has regularly updated its data security breach notification law, including in 2015.
What is New?
On January 1, 2016, three new California data security laws have come into effect, adding
- A definition of "encrypted" to specify exemptions from notification requirements regarding encrypted data (Assembly Bill 964);
- More detailed requirements regarding form and content of breach notifications (Senate Bill 570); and
- Data security rules and claims regarding information collected with automated license plate recognition systems (Senate Bill 43).
Each Bill changes California Civil Code Sections §1798.29 and §1798.82. Senate Bill 34 adds new Sections §§ 1798.90.5-54 to the California Civil Code. See below for more information on the changes.
Who Must Comply?
Companies located within and outside California have to notify California residents in case of unauthorized access to certain categories of their personal data in combination with the individual’s name when either the name or the other data elements are not encrypted.
Effective January 1, 2016, "encrypted" means "rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security." Companies should confirm and document that their encryption methods are "generally accepted in the field of information security" to prepare for a potential need to prove this in court.
How Do Companies Have To Organize Breach Notifications?
Companies have to provide prescribed details under prescribed headings and font size. Companies that use a new "model security breach notification form" are deemed to comply with some of the new form requirements:
[NAME OF INSTITUTION / LOGO] _____ _____ Date: [insert date]
NOTICE OF DATA BREACH
What Information Was Involved?
What We Are Doing.
What You Can Do.
Other Important Information.
[insert other important information]
For More Information.
Call [telephone number] or go to [Internet Web site]
Who and What Data Is Protected by California's Data Breach Laws?
California residents are protected with respect to certain types of personal information, including an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: social security number; driver’s license number or California identification card number; account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; medical information; health insurance information; and information collected through an automated license plate recognition system.
What Must Companies Observe Regarding Automated License Plate Recognition (ALPR) Systems?
Operators and users of ALPR systems will have to comply with specific data security requirements and a duty to publish privacy and usage policies with certain prescribed information. Harmed individuals in California can bring civil actions against companies and agencies that knowingly breach the new requirements. Courts can award damages (incl. minimum liquidated damages of $2,500), punitive damages, attorneys fees and injunctions.
The sanctions on companies and remedies for harmed individuals extend expressly to data security breaches, which is notable, as general data security breach notification laws do not grant specific sanctions or remedies for the breach (only for failure to notify).