California adopted the first data breach notification law in the nation in 2002, and has consistently worked to ensure that its law remains at the forefront of data security laws in the United States. California burnished this reputation on September 13, 2016, when Governor Jerry Brown signed AB 2828, sponsored by Legislator Ed Chau. This law amends California’s data breach notification law, Civil Code Section 1798.82, by making significant changes to the reporting requirements for businesses who hold personal information that has been compromised.
Prior to the adoption of AB 2828, California, like most other states, did not require businesses to disclose breaches where “encrypted” information is breached. AB 2828 will, effective January 1, 2017, require businesses to disclose breaches when encrypted information has been acquired in an unauthorized breach if the encrypted data is leaked together with the encryption key or security credential that “could render that personal information readable or useable.”
Encryption Safe Harbor
The exception for encrypted personal data has been part of California law since its adoption; however, it had a potentially significant flaw: even if the key to encrypted data was disclosed, making it readable by hackers and other bad players, the business was not obligated to issue a notice to affected individuals. In other words, even when encrypted information was, in fact, readable, a business was not required to report a breach. The result was that some individuals whose personal information was disclosed never received notice and could not take steps to protect their financial information or identity.
The Electronic Frontier Foundation, in support of AB 2828, said that “AB 2828 would fill an important gap in California’s current data breach notification law. A thief might steal an encrypted laptop, along with a note carelessly taped to the device stating the decryption password. Or a thief might remotely steal encrypted data, and later use social engineering to acquire the security credentials. In these and many other circumstances, wrongdoers will acquire both encrypted personal information and the power to decrypt that information. In such circumstances, people should be notified that they are at risk of wrongdoers misusing their personal information.”
When AB 2828 becomes effective, that data that has been converted into code so as to be readable only by those who have the encryption key to decode it will be subject to the broad terms of California’s disclosure law. While AB 2828 patches a potential flaw in the law – encrypted data is no longer protected if one holds the key – it also creates a challenge for many businesses.
Challenge to Business
Breach laws are challenging to businesses. Breaches rarely occur at a “convenient” time, and businesses must address a variety of issues to determine whether an event is, in fact disclosable. Among other things, businesses must determine what information was exfiltrated; where are the affected individuals located; what notice must be given to regulatory and law enforcement authorities; what will cyber-insurance carriers require; how can the breach be remediated; and so on. Companies must quickly engage counsel with experience in mediating breaches, technical expertise, public relations assistance, and often must consider regulatory requirements. These tasks must be accomplished under great time pressure; even if the company is not subject to specific timing requirements, companies strive to notify their customers, employees and other impacted persons promptly. At the same time, companies need to be discerning enough to avoid sending a notice where no reportable information has been breached, since doing so could subject the business to liability and impact customer and employee relations.
It should be remembered that data breaches are rarely obvious or clear-cut; one of the most difficult tasks can be to determine, with a degree of confidence, what information was breached. Hackers and other bad actors often take steps to hide their actions, so any individual piece of information may not be easy to determine. It is questionable whether a company can readily determine whether a data key or administrative credentials have been compromised.
Encrypting personal information has been a safe harbor and allowed companies to avoid unnecessary disclosure. However, because of California’s outsize impact – as the largest state, and because of California’s reputation for leading the country in cybersecurity, except for those breaches that actually exclude California residents, all companies, wherever located, will have to determine how to comply with all AB 2828. The amendment will further burden companies that have not been monitoring access to data in its encrypted form.
The expansion of different threats (ransomware, lockerware, spear phishing and so on), combined with the changes imposed by AB 2828, reinforce the need to prepare for the inevitable data breach. Identifying potential security gaps, training staff on best practices for preventing data breaches and ensuring that an effective data breach protocol exists can be the difference between compliance and non-compliance.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.