California Governor Jerry Brown has signed into law three bills that revise California’s data breach notification requirements. The laws clarify important definitions, adjust notification requirements, and require operators of automated license plate recognition (“ALPR”) systems to adopt new security policies and record keeping procedures.
Assembly Bill 964 (A.B. 964), defines the word “encrypted” as used in the data breach notification law. “Encrypted” data under the new law must be “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” On the statute’s face, there is no further or more detailed description of encryption requirements. In 2014, the California Attorney General released a Data Breach Report recommending a number of ways data should be encrypted, including, for retailers, from the point of capture until completion of transaction authorization, and for the health care industry, full disk strong encryption, to the standard set by the National Institute of Standards and Technology (“NIST”). It also suggested protecting personal information in transit using FIPS 197, NIST’s standard approved for U.S. Government organizations to protect higher risk information.
Senate Bill 570 (S.B. 570) requires security breach notifications to be titled “Notice of Data Breach” and to present a variety of information, including “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.” The law includes a model security breach notification form to be completed in plain language. Conspicuous posting of the notice is required on the notifying entity’s web site for a minimum of 30 days. There must be a link to the notice on the entity’s home page that is more noticeable (based on font, size, color, and other attributes specified in the law) than the surrounding text.
Finally, Senate Bill 34 (S.B. 34) adds data collected through the use or operation of an ALPR system to the definition of “personal information.” The inclusion will require breaches of such information to be disclosed. The law also requires the use of security procedures and practices to protect ALPR information and implementation of a usage and privacy policy with respect to that information. The law imposes similar requirements on an “ALPR end-user.” Additionally, ALPR operators must maintain records of access and require that ALPR information only be used for authorized purposes. Public agencies are prohibited from selling, sharing, or transferring ALPR information, except to another public agency. Under the new law, an individual who has been harmed by a violation of the law may bring a civil action against a person who knowingly caused the harm. In such a case, the court may award actual damages, but not less than liquidated damages in the amount of $2,500, punitive damages, and attorney’s fees.
All three laws become effective on January 1, 2016.