[BreachExchange] California Expands Data Breach Notification Law

Inga Goddijn inga at riskbasedsecurity.com
Fri Oct 7 10:22:11 EDT 2016


http://www.lexology.com/library/detail.aspx?g=7bcd99c2-9ead-43d9-ac21-f4572dfad720

*January 1, 2017 Will See Broader Requirements*

California’s data breach notification law is already considered the most
stringent in the United States. Based on a new amendment recently signed
into law, the law will soon get even tougher.

On September 13, 2016, Governor Jerry Brown signed AB 2525, which amends
the state’s data breach notification law requiring businesses to disclose
data breaches to individuals whose personal information has been
compromised. Currently, the law only requires businesses to disclose
breaches where “unencrypted” information is breached. Under the new
amendment, however, businesses must soon disclose breaches even when
“encrypted” information has been acquired in an unauthorized breach. Under
the amended law, as of January 1, 2017, the notification obligation will be
triggered where encrypted data is leaked together with the encryption key
or security credential that “could render that personal information
readable or useable.”

Prior to this amendment, the process of encryption provided businesses with
a safe harbor from having to notify individuals whose private but encrypted
data was leaked for whatever reason. Once effective, this amendment will
mean that even data that has been converted into code so as to be readable
only by those who have the encryption key to decode it falls under the
broad terms of the disclosure law.

The law applies to all persons and businesses (including non-profits) that
own or license computerized data, and will be effective January 1, 2017.

*Compliance Challenges Await California Businesses*

The principle underlying this amendment is not controversial. In fact, it
arguably patches a conceptual hole that flawed the old law. However, this
amendment presents an urgent compliance challenge for many businesses
because the new law explicitly requires more data transaction points to be
monitored.

Even before this amendment, California’s data breach law has always
presented a significant challenge for employers: being able to quickly
identify the extent of a data breach so as to avoid issuing a “false
positive” notice to individuals whose data has not been breached.
Successful management of this challenge can mean the difference between a
quiet data security hiccup and a headline that portrays a breach of trust
of millions of consumers. The amendment will only serve to complicate that
challenge, especially for businesses that have not been monitoring access
to data in its encrypted form.

*What Should Employers Do Now?*

Given the recent proliferation of spear phishing, ransom malware, and other
hacking methods, the reality is that the occurrence of a data breach for
any employer is not a matter of if but when. While even the most
sophisticated and well-funded organizations still fall victim to data
breaches, this should not discourage you from taking reasonable steps to
identify potential security gaps and train staff on best practices for
preventing data breaches.

In light of this amendment to California’s data breach notification law,
you are encouraged to review your data security measures to ensure that a
breach of encrypted data does not go unnoticed. If any revision to current
monitoring or reporting systems is necessary, it may also be prudent to set
new encryption keys across all company systems concurrently.

You should also consider additional steps such as establishing a security
incident response team with protocols in place ready to triage a data
breach when it happens, as well as conducting an annual security
vulnerability audit and test simulations of a data breach.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161007/f3cae374/attachment.html>


More information about the BreachExchange mailing list