Governor Jerry Brown recently signed three bills into law, amending California’s breach notification statute. The new laws expand the definition of personal information, add clarity to the term encryption, and add requirements for notification letters.
Personal Information Definition
S.B. 34 expands the definition of personal information to include information or data collected through the use or operation of an automated license plate recognition system.
License plate recognition systems use optical character recognition on images to read license plate numbers and store that data. Many police departments have adopted this technology, creating concerns regarding the use and safety of that data.
The amendment requires entities using the technology to maintain reasonable safeguards to protect the license plate recognition data from unauthorized use or disclosure. The law also has a provision allowing private right of action for anyone harmed by violations of the statute.
A.B. 964 provides a bit of clarity on the definition of encryption. Most state laws, including California’s, allow for a safe harbor for encrypted information that is accessed by an unauthorized person. The grey area of the law is what qualifies as acceptable encryption.
The amendment defines encryption as information that is “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.”
Notification Letter Changes
S.B. 570 updates the requirements for breach notification letters that are sent to individuals affected by a security breach.
Additional requirements include:
- The notification must be titled “Notice of Data Breach.”
- The information must be presented under the following headings – “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.”
- The title and headings must be clearly and conspicuously displayed.
- The text should be at least 10-point font size.
The new law also provides a model security breach notification form that complies with the requirements listed above.
The amendments are effective January 1, 2016.