Three bills that will update California’s data breach notification requirements have been signed into law by Governor Jerry Brown. The bills impose specific requirements on providing breach notification to consumers, add a definition of “encryption,” and amend the definition of “personal information.” These updates take effect on January 1, 2016.
Perhaps the most important of the three bills, S.B. 570, changes how companies must notify consumers of a security breach. The changes include:
-
Notices must be titled “Notice of Data Breach” and contain the following headings: “What Happened,” “What Information Was Involved,” “What We Are Doing,” and “For More Information.”
-
The notice must be formatted to call attention to the “nature and significance” of the information it contains, with a prominent title and headings text no smaller than 10-point type.
-
Companies may comply with the notice requirements by filling out a model security breach notification form, provided in the bill, in plain language.
-
If the breach involved login credentials of an e-mail account, notification cannot be sent to that e-mail address, but may be given by clear and conspicuous notice online when the individual is connected to the online account from an IP address or online location known to the company.
-
Notice posted to a company’s website must remain posted for a minimum of 30 days.
-
“Conspicuous posting” to a website requires a link to the notice on the home page that is in larger type than the surrounding text, or in contrasting type, font, or color to surrounding text, or set off from surrounding text by symbols or other marks that call attention to the link.
A second bill, A.B. 964, clarifies California’s existing data breach notification law by providing a definition of encryption as “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” Under California law, notifications with respect to an information security incident are generally not required for information that is encrypted. The added definition attempts to provide additional clarity to the term by excluding custom and proprietary encryption solutions.
The third bill, S.B. 34, amends the definition of personal information to include information or data collected through the use or operation of automated license plate recognition (ALPR). ALPR is a mass surveillance method that uses optical character recognition on images to read license plates. Existing closed-circuit television or road-rule enforcement cameras can be used, or ones specifically designed for the task. They are used by various police forces and as a method of electronic toll collection on pay-per-use roads and cataloging the movements of traffic or individuals.
The bill imposes specified requirements on an “ALPR operator,” which includes either a public or a private entity, for protecting the information collected. This includes maintaining reasonable security procedures and practices to protect ALPR information and implementing a usage and privacy policy with respect to that information. The bill imposes similar requirements on an “ALPR end-user.” The bill requires an ALPR operator that accesses or provides access to ALPR information to maintain a specified record of that access and that ALPR information only be used for authorized purposes. Finally, the bill provides a private right of action to individuals harmed by a violation of these security requirements.
With these updates, California continues to be in the forefront of privacy protective legislation. The changes are likely to become a benchmark for compliance for companies with operations and customers throughout the United States.