Governor Brown Updates California Breach Notification Law

Legislation covering data privacy & security in the state of California is stricter than most other states, and a new trio of bills amending California breach notification law were signed last week adding even greater protections for California residents.

State governor, Jerry Brown, added his signature to three new bills last week which amend California breach notification law, increasing the data elements included under “personal information”, the exposure of which requires companies – based in or doing business in the state – to issue breach notifications to the individuals whose personal data has been compromised.

New standards have also been introduced to add more uniformity to breach notices, and a data encryption standard has now been defined in the legislature.

California Breach Notification Law Changes

The three bills were all passed as a single package, each of which will slightly alter California breach notification law with an effective date of January 1, 2016.

Assembly Bill 964 addresses data encryption, clarifying what the term actually means under Californian law. The explanation of “encryption” which is referred to on numerous occasions in California legislature, is data that is “rendered unusable, unreadable or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security,” closely matching the definition in the Health Insurance portability and Accountability Act (HIPAA).

Assembly Bill 570 stipulates how breach notification letters must be laid out, and sets a standard which must be followed by all organizations suffering a data breach that exposes the personal information of California residents. This will apply to businesses in the state, as well as those doing business in California that are based elsewhere in the country.

Breach notices sent to victims will need to be headed “Notice of Data Breach” to avoid any confusion. They must also contain specific information relating to the breach. Assembly Bill 570 includes an example Notice of Data Breach, with subheadings that should be included in the letters. These are:

  • What Happened?
  • What Information was Involved?
  • What Are We Doing?
  • What You Can Do?
  • Other Important Information
  • For More Information

Finally, Assembly Bill 34 alters the definition of personal information, which will now also include data recorded by Automated License Plate Recognition systems, and will apply to users and operators of ALPR systems.

The new bills will increase the level of protection for California residents and will ensure that crucial information is communicated to them in the event of their personal data being inadvertently or deliberately exposed.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of