California Governor Jerry Brown on October 6 signed into law two bills that update the state’s data breach notification law. In adopting the measures, the state legislature cited reports from the California attorney general’s office, the Identify Theft Resource Center, and the Privacy Rights Clearinghouse indicating that there were significant increases in the number of data security breaches reported in recent years.
One bill (A.B. 964) defines the word “encrypted” to mean data that is “rendered unusable, unreadable, or undecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information technology.” The change is intended to clarify the state's existing data breach notification law for private businesses and public agencies that hold unencrypted personal information by providing a definition for what encryption actually means.
“California law requires a business or state agency that owns or licenses computerized data to notify any California resident whose unencrypted personal information was acquired, or reasonably believed to have been acquired, by an unauthorized person following discovery of a data breach,” explained assembly member Ed Chau, the sponsor of the bill. “This provision, serves to encourage businesses and agencies who store personal information to adopt encryption standards, so stolen information would be deemed less vulnerable to abuse.”
The second bill (S.B. 570) signed by the governor specifies what data breach notices must say and provides a model security breach notification form that complies with the format requirements.
Specifically, it requires California businesses that own or license computerized data that includes personal information to provide breach-affected individuals with a notice entitled "Notice of Data Breach," in which required content is presented under the following headings:
- "What Happened"
- "What Information Was Involved"
- "What We Are Doing"
- "What You Can Do"
- "For More Information"
The measure states that additional information may be provided to supplement the required notice.
“Existing law requires breach notifications to be made in the most expedient time possible without unreasonable delay, and specifies certain information that must be included in these notices,” explains a report on the bill from State Senate Judiciary Committee Chairwoman Hannah-Beth Jackson. “The law provides that breach notifications must be written in ‘plain language,’ but is otherwise silent about how the information should be presented.”
According to a report by the Identity Theft Resource Center, a non-profit organization that promotes best practices for fraud and identity theft detection, reduction, and mitigation, the number of U.S. data breaches tracked hit a record high of 783 in 2014. This was 27.5% higher than the number of breaches reported in 2013 and 18.3% higher than 662 breaches tracked in 2010.