[BreachExchange] California Amends its Data Breach Statute…Again

Audrey McNeil audrey at riskbasedsecurity.com
Fri Jan 13 18:35:49 EST 2017


http://www.jdsupra.com/legalnews/california-amends-its-data-breach-24052/

The California Legislature has again amended California's Data Breach
Statute regarding the obligations of companies to disclose the breach of
personal information stored in computerized data.  (California Civil Code
Section 1798.82)  Prior to the amendment, the statute stated that anyone
conducting business in California that owns or licenses computerized
personal information data must disclose a breach in the security of the
data to a California resident whose unencrypted personal information was,
or is reasonably believed to have been, acquired by an unauthorized person.

The amendment adds another element triggering the obligation to notify
individuals of a security breach or suspected breach.  Now, those
conducting business in California are required to disclose a security
breach of encrypted personal information where: 1) the encrypted personal
information was, or is reasonably believed to have been, acquired by an
unauthorized person; and 2) the encryption key or security credential was,
or is reasonably believed to have been, acquired by an unauthorized person
where there is a reasonable belief that the encryption key or security
credential could render that personal information readable or useable.

Whereas the prior obligation to disclose a data breach related to
unencrypted personal information, the amendment adds the element of data
breaches related to the unauthorized acquisition of encrypted personal
information.  The definition of "personal information" is sufficiently
broad, that most companies will be impacted by this amendment if such data
is stored in a computerized format.  Personal Information is defined as the
individual's name with any of the following elements associated with it:
social security number, driver's license number, account number, credit or
debit card numbers, medical information, health insurance information or
license plate information.  Personal information also encompasses user name
and password information such that access to an online account can be
gained.

The reality today is that if encrypted personal information in a
computerized format is the subject of a security breach, the party storing
such data must look at multiple factors to determine if notification is
necessary.  There first must be a breach affecting encrypted personal
information, as defined by the statute.  If it is determined that personal
information was in fact compromised, the party storing the data must
analyze if the encrypted data can be accessed.  If the corresponding
encryption key has also been compromised and if the business has a
reasonable belief that the stolen encryption key renders the encrypted
information readable or useable, the individual must be notified pursuant
to the statute's requirements.

California's Data Breach Statute adds another layer to conducting business
within the borders of California, and impacts companies of all sizes if
they store computerized personal information (whether encrypted or not).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170113/91e74a17/attachment.html>


More information about the BreachExchange mailing list