New provisions about encryption, license plate recognition, and breach notification letters.
California has long been a trendsetter with regard to security breach notification standards. In 2002, for example, California became the first state to enact a security breach notification law. Since then, nearly every state has followed suit, enacting laws that require entities that experience a security breach involving personal information to notify affected individuals. In recent years, California regularly has updated its security breach notification law, including provisions expanding the definition of “personal information” to include medical information, and addressing the provision of credit monitoring services and notifications to the California Attorney General. On October 6, 2015, California continued this tradition by amending its breach notification statute to (i) expand the definition of “personal information” to include automatically collected license plate data; (ii) define the term “encryption,” and (iii) establish new requirements for the content and form of breach notification letters. The amendments—which go into effect January 1, 2016—will significantly affect how businesses and governmental agencies operating in California respond to security breaches, particularly with respect to the form and content of breach notification letters.
The first amendment, Senate Bill 34, expands the definition of “personal information” under California Civil Code sections 1798.29 and 1798.82 to include data collected through an automated license plate recognition (ALPR) system. Popular among law enforcement and private entities alike, ALPR systems use optical character recognition on video images to read license plates on motor vehicles and store that data in a searchable computerized database. Senate Bill 34 defines a license plate number (if obtained through an ALPR system) as a data element (if combined with an individual’s first name or initial and last name) subject to breach notification in California. The amendment, which applies to public and private entities, also requires users of ALPR systems to implement reasonable safeguards to protect ALPR data from unauthorized use or disclosure, and provides a private right of action to individuals harmed by a violation of these requirements. California’s private right of action is not limited to ALPR breaches, however. Rather, any customer injured by a violation of California’s breach notification statute may institute a civil action to recover damages.
Under California’s current law, the breach notification requirements do not apply to personal information that is “encrypted.” Until now, the law did not define when personal information would be considered “encrypted.” The second amendment, Assembly Bill 964, amends California Civil Code sections 1798.29 and 1798.82 to clarify that information is encrypted if it is rendered “unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” Some ambiguity remains as to what encryption is generally accepted in the field of information security, and that standard will undoubtedly change over time. If the encryption standard used to protect data turns out not to be “generally accepted,” a breach of that data may require notification starting in January 2016.
The third amendment, Senate Bill 570, amends California Civil Code sections 1798.29 and 1798.82 to standardize the language and formatting used in breach notification letters. In addition to the existing requirements, notification letters must now be titled “Notice of Data Breach” and present required information under the following headings: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.” The title and headings must be clearly and conspicuously displayed using a font size no smaller than 10-point type. Senate Bill 570 also provides a model breach notification form, which, if used, is deemed to comply with the new content requirements for written notification. While the model breach notification letter provides guidance to businesses and agencies trying to navigate California law, it poses challenges in the case of breaches affecting individuals in multiple states, whose laws may require or expressly exclude inclusion of certain information. For example, the “What Happened” section should not be included in notices to Massachusetts residents, as that state’s law prohibits including a description of the nature of the breach or unauthorized acquisition or use. Similarly, Illinois’s breach notification statute prohibits including information about the number of affected Illinois residents in the notification letter. We maintain templates for data breach notification letters that meet the requirements in all of the states that require data breach notification.
For national companies doing business in California, the state’s rigorous privacy and security laws often effectively become a de facto national standard. In light of these recent amendments to California’s breach notification law, persons and businesses conducting business in California are encouraged to review their encryption policies, update their breach notification forms, and, if using an ALPR system or data from an ALPR system, adopt compliant policies with respect to data collected through ALPR systems. We can help companies doing business in California develop and implement breach response programs that reflect the new amendments to the California breach notification law, along with other features of the state’s ever-evolving privacy and security regulatory landscape.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
Mark L. Krotoski
Ronald W. Del Sesto, Jr.