New California Data Breach Notification Statute Defines Encryption


Thought Leadership

New California Data Breach Notification Statute Defines Encryption

Neil Farquharson

Most readers won’t have noticed California’s updated breach notification statute, due to take effect on January 1st of 2016. However it is worth noting that California often leads the way with new legislation – good or bad – that will usually be followed by the other states in their own good time. Back in 2003, California became the first state to require the issue of security breach notifications. Since then, nearly every state has followed by enacting laws that require organizations who experience a security breach to notify the affected people.

This is the third time in as many years that California has amended its data breach notification statute. However, dig down into the new statute and you’ll find some good news: after years of muddy ambiguity, California has provided a definition for encryption:

‘For purposes of this section, “encrypted” means rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.’

California’s breach notification statute has had an encryption safe harbor since its inception, however the meaning of ‘encrypted’ was not previously specified, and this is why the above is important to our organizations. This means that should your business communications be intercepted or breached, there is no need to report the breach if all these communications are encrypted.

The statute does place more of a burden upon breached organizations: the first amendment expands the definition of ‘personal information’ to include data collected through the use of automated license plate recognition systems – optical pattern recognition systems used by law enforcement; the second amendment changes the format of notices to be sent to potential victims, to include a clear header, ‘Notice of Data Breach;’ while the third amendment is the definition of encryption, already stated above.

Organizations need to be aware of their obligations should they suffer a data breach, however it makes more sense to avoid breaches if at all possible by implementing cost effective data security solutions. One weak point in data transfer is the sending and receiving of emails over the Public Internet. Secure email encryption protects your business and your clients’ private information from being viewed by the bad guys. To learn more, you can find helpful email encryption resources here.