On January 1, 2016, several updates to California’s digital privacy laws took effect. We previously reported on the revisions to the California Electronic Communications Privacy Act here.  However, a trio of other bills, Assembly Bill 964, Senate Bill 34, and Senate Bill 570, have clarified key elements of California’s data-breach notification statute and provided further guidance for handling electronically stored information.

Assembly Bill 964 (A.B. 964) – Data Encryption

A.B. 964 clarifies the meaning of “encrypted,” which is found throughout California’s data-breach notification statute, Ca. Civ. Code § 1798.82.  Personal information is now deemed “encrypted” if it is “rendered unusable, unreadable or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.”  This amendment is significant because, while California’s data breach notification statute has always contained a safe harbor for “encrypted” information, the statute did not include a definition of “encrypted.”  A.B. 964 thus provides some needed clarity to the statute.

Senate Bill 570 (S.B. 570) – Breach Notification

S.B. 570 sets forth specific language and content requirements for future security breach notifications.  Notice must be provided in plain language, using at least 10-point font, and be titled “Notice of Data Breach.”  The revised law also requires notice to be formatted and provided using the following headings:

• What Happened;
• What Information Was Involved;
• What We Are Doing;
• What You Can Do;
• Other Important Information; and
• For More Information.

S.B. 570 includes a model form that will be deemed in compliance with the new format requirements if used by a business or entity in the case of a breach notification.

If the breach only affects usernames and email addresses, the business or entity may provide notification via “electronic or other form” and direct the consumer to change the password and security question associated with the account or take other appropriate steps to protect the affected account.  However, if the email address and e-mail account log-in credentials are affected by the breach, then notice must be provided by means other than to the compromised email account.

Finally, notice of the breach must be posted conspicuously on the website of the business or affected entity for a minimum of 30 days.

Senate Bill 34 (S.B. 34) – Automated License Plate Recognition Systems

S.B. 34 amends the definition of the term “personal information” found in California’s data-breach notification statute to include information and data captured by automated license plate recognition (“ALPR”) systems.  The law requires operators and users of ALPR systems to maintain reasonable security procedures and practices to protect ALPR data and to maintain APLR operator access logs.  Operators and end-users of ALPR systems must implement usage and privacy policies that govern the collection, use, maintenance, sharing, and dissemination of this information that is consistent with “respect for individuals’ privacy and civil liberties.”  The usage and privacy policy must be made available to the public in writing and posted conspicuously to the operator/user’s website.

S.B. 34 authorizes a private right of action by any individual who has been harmed by a violation of these requirements – including the unauthorized access or use of ALPR information or a breach of security of an ALPR system – against any individual who “knowingly caused” the harm.  The law allows plaintiffs to recover a minimum of $2,500, plus any actual damages in excess of that amount; punitive damages; reasonable attorneys’ fees and costs; and equitable relief.

Further Action Required For Businesses

California has taken yet another step to update its digital privacy laws to provide clarity and bring them in line with the ever changing electronic privacy landscape.  Businesses and entities subject to California’s digital privacy laws should consider reviewing their data breach notice policies and procedures to see if they conform to the revised law.  Specifically, encryption standards used to protect data should be “generally accepted in the field of information security,” pursuant to A.B. 964, and notification policies and procedures should be updated to conform to S.B. 570.  Furthermore, ALPR operators and end users must revise that their policies and procedures to ensure compliance with S.B. 34 so that they do not risk fines or liability from private causes of action.