<div dir="ltr"><a href="http://www.lexology.com/library/detail.aspx?g=7bcd99c2-9ead-43d9-ac21-f4572dfad720">http://www.lexology.com/library/detail.aspx?g=7bcd99c2-9ead-43d9-ac21-f4572dfad720</a><br><div class="gmail-article-body" id="gmail-lex-article-body" style="display:block">
<p><strong>January 1, 2017 Will See Broader Requirements</strong></p>
<p>California’s data breach notification law is already considered the
most stringent in the United States. Based on a new amendment recently
signed into law, the law will soon get even tougher.</p>
<p>On September 13, 2016, Governor Jerry Brown signed AB 2525, which
amends the state’s data breach notification law requiring businesses to
disclose data breaches to individuals whose personal information has
been compromised. Currently, the law only requires businesses to
disclose breaches where “unencrypted” information is breached. Under the
new amendment, however, businesses must soon disclose breaches even
when “encrypted” information has been acquired in an unauthorized
breach. Under the amended law, as of January 1, 2017, the notification
obligation will be triggered where encrypted data is leaked together
with the encryption key or security credential that “could render that
personal information readable or useable.”</p>
<p>Prior to this amendment, the process of encryption provided
businesses with a safe harbor from having to notify individuals whose
private but encrypted data was leaked for whatever reason. Once
effective, this amendment will mean that even data that has been
converted into code so as to be readable only by those who have the
encryption key to decode it falls under the broad terms of the
disclosure law.</p>
<p>The law applies to all persons and businesses (including non-profits)
that own or license computerized data, and will be effective January 1,
2017.</p>
<p><strong><strong>Compliance Challenges Await California Businesses</strong></strong></p>
<p>The principle underlying this amendment is not controversial. In
fact, it arguably patches a conceptual hole that flawed the old law.
However, this amendment presents an urgent compliance challenge for many
businesses because the new law explicitly requires more data
transaction points to be monitored.</p>
<p>Even before this amendment, California’s data breach law has always
presented a significant challenge for employers: being able to quickly
identify the extent of a data breach so as to avoid issuing a “false
positive” notice to individuals whose data has not been breached.
Successful management of this challenge can mean the difference between a
quiet data security hiccup and a headline that portrays a breach of
trust of millions of consumers. The amendment will only serve to
complicate that challenge, especially for businesses that have not been
monitoring access to data in its encrypted form.</p>
<p><strong><strong>What Should Employers Do Now?</strong></strong></p>
<p>Given the recent proliferation of spear phishing, ransom malware, and
other hacking methods, the reality is that the occurrence of a data
breach for any employer is not a matter of if but when. While even the
most sophisticated and well-funded organizations still fall victim to
data breaches, this should not discourage you from taking reasonable
steps to identify potential security gaps and train staff on best
practices for preventing data breaches.</p>
<p>In light of this amendment to California’s data breach notification
law, you are encouraged to review your data security measures to ensure
that a breach of encrypted data does not go unnoticed. If any revision
to current monitoring or reporting systems is necessary, it may also be
prudent to set new encryption keys across all company systems
concurrently.</p>
<p>You should also consider additional steps such as establishing a
security incident response team with protocols in place ready to triage a
data breach when it happens, as well as conducting an annual security
vulnerability audit and test simulations of a data breach.</p>
</div><br></div>