In four of the last five years, California’s legislature has updated its data breach notification law, expanding its scope and making the required notifications more specific.  This year, the legislature passed three separate measures that went into effect on January 1, 2016, A.B. 964, S.B. 570 and S.B. 34, related to encryption, the definition of personal information and required notice content.

What is “encrypted?”  Most breach notification laws exempt a data loss from disclosure if the personal information was “encrypted” but fail to define what qualifies as “encrypted.”  California’s law now specifies that encrypted means “unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.”

What must notice look like?  California’s law now specifies how the notice must be organized, standardizes the headings that must be used and requires that it be written in at least 10 point type.  Each notice must be titled “Notice of Data Breach” and contain headings reading “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do” and “More Information.”

Protection for License Plate Numbers.  California also became the first state in the nation to require breach notification for license plate numbers when they are collected through the use of an automated plate recognition system.

Other Changes Across the Country

The new year is an excellent time to ensure that breach response plans are consistent with the many changes made by legislatures across the country, most of which have just gone into effect or are slated to become effective in the next few months.

To summarize, the statutory changes mean the following changes for your next incident response:

• More incidents will be “breaches.”  States continue to add data types to the definition of “personal information,” with the consequence that more and more incidents, especially those affecting health information and online user credentials, will trigger statutory notification requirements.
• Credit monitoring is (sometimes) required.  Connecticut became the first state to require identity theft protection services after a breach involving social security numbers. 
• More, and more public, regulator disclosure.  Five more states now require regulator notification when consumers are notified of a breach, and at least two have already launched public websites listing the notices received.
• More forms of notice.  Several states have added provisions listing the content they want to see in consumer notifications, further complicating response to a nationwide incident.

As these laws become increasingly divergent and complex, careful monitoring and advice are essential, and all companies that conduct business with U.S. consumers should assess their current data security procedures and breach notifications.

For a full list of state laws regarding security breach notification, please visit Perkins Coie's newly updated Security Breach Notification Chart.

© 2016 Perkins Coie LLP