Data breach notification law in California has been updated again, further strengthening the already stringent laws in the state. Data breach notification law in California is already the strongest in the country. The latest update is intended to further protect state residents whose personal information is compromised.
The latest update closes a gap in the data breach notification law in California, which has previously not required businesses to notify individuals – or the state attorney general – of a data breach that involved the accessing or theft of encrypted data.
State governor Jerry Brown signed the new amendment to the law (AB 2525) on September 13, which will require organizations and individuals doing business in the state of California to notify breach victims if their personal information has been compromised or obtained by an unauthorized individual, even if those data are encrypted.
The law change applies to breaches of encrypted data that also involve the theft of a key for decrypting those data. If the key for decrypting data is not obtained, but security credentials are stolen which could render the data readable or usable, breach notifications will need to be issued to all affected individuals.
Current data breach notification law in California does not require notifications to be issued following a data breach if organizations employ encryption to protect personal data. Many organizations in the state have opted to encrypt all collected data as a way of avoiding having to implement data breach notification policies. However, now all organizations must have policies in place covering data breaches, even if encryption is employed.
Any company that does not currently have policies in place covering the issuing of breach notifications will need to create those policies before the end of the year to remain compliance with state laws.
The new law will become effective on January 1, 2017 and applies to all business or persons that own or license computerized data.