On September 13, California Gov. Jerry Brown signed into law AB 2828, tightening what is already considered to be among the most stringent data breach notification laws in the United States. Currently, businesses are required to notify consumers when unencrypted personal information has been compromised. The new law, which takes effect January 1, 2017, requires businesses to also disclose data breaches where encrypted information is breached, if the encryption keys have been compromised. While the change patches what was arguably a conceptual flaw in the existing statute, it also creates a challenge for many businesses who hold personal information.
California has taken a leading role in cybersecurity, adopting the nation’s first data breach notification law in 2002. Since then, the state has made several changes to the law, including in 2015, when it provided a new definition for encryption and updated what security breach notifications must include. Like most states, however, California doesn’t currently require businesses to disclose breaches where “encrypted” information was acquired. This is true even if the key to decode the data was disclosed.
But such an encryption safe harbor, which has been part of the law since it was adopted, had a potentially significant flaw, leaving open the possibility that some individuals would not notified even through their personal information was vulnerable.
That will change under the new law, which amends Civil Code Section 1798.82 and applies to all persons and businesses that own or license computerized data. It demands consumers be notified when their encrypted personal information is disclosed and there is a reasonable belief that encryption keys or security credentials were also compromised and “could render that personal information readable or useable.” While the goal of the new law – to allow victims to take steps to protect themselves from fraud or identity theft before the data is used by hackers – isn’t controversial, the law does present a compliance challenge for businesses.
In the event of a data breach, businesses have to quickly address a number of issues to determine whether the breach is something that must be reported. While companies strive to notify affected persons promptly, they don’t want to needlessly subject themselves to additional scrutiny or negatively impact public perception and customer relationships. This new law will complicate that evaluation process and create additional burdens for companies that have not been monitoring access to encrypted data.
What Companies Should Do
Given the pervasiveness of hacking incidents and data breaches in recent times, it is almost inevitable that a business will have to contend with such a data breach at one point or another. As such, it is critical that companies take proper steps to prepare. Businesses should review their monitoring and reporting systems, while making an effort to identify potential security gaps and train staff on best practices for preventing breaches. It would also be prudent to consider additional steps, such as establishing an effective data breach protocol and establishing an incident response team that is ready to act if and when a data breach occurs.