California adopted the first data breach notification law in the nation in 2002, and has consistently worked to ensure that its law remains at the forefront of data security laws in the United States. California burnished this reputation on September 13, 2016, when Governor Jerry Brown signed AB 2828, sponsored by Legislator Ed Chau. This law amends California’s data breach notification law, Civil Code Section 1798.82, by making significant changes to the reporting requirements for businesses who hold personal information that has been compromised.
Prior to the adoption of AB 2828, California, like most other states, did not require businesses to disclose breaches where “encrypted” information is breached. AB 2828 will, effective January 1, 2017, require businesses to disclose breaches when encrypted information has been acquired in an unauthorized breach if the encrypted data is leaked together with the encryption key or security credential that “could render that personal information readable or useable.”
Encryption Safe Harbor
The exception for encrypted personal data has been part of California law since its adoption; however, it had a potentially significant flaw: even if the key to encrypted data was disclosed, making it readable by hackers and other bad players, the business was not obligated to issue a notice to affected individuals. In other words, even when encrypted information was, in fact, readable, a business was not required to report a breach. The result was that some individuals whose personal information was disclosed never received notice and could not take steps to protect their financial information or identity.
The Electronic Frontier Foundation, in support of AB 2828, said that “AB 2828 would fill an important gap in California’s current data breach notification law. A thief might steal an encrypted laptop, along with a note carelessly taped to the device stating the decryption password. Or a thief might remotely steal encrypted data, and later use social engineering to acquire the security credentials. In these and many other circumstances, wrongdoers will acquire both encrypted personal information and the power to decrypt that information. In such circumstances, people should be notified that they are at risk of wrongdoers misusing their personal information.”
When AB 2828 becomes effective, that data that has been converted into code so as to be readable only by those who have the encryption key to decode it will be subject to the broad terms of California’s disclosure law. While AB 2828 patches a potential flaw in the law – encrypted data is no longer protected if one holds the key – it also creates a challenge for many businesses. Continue reading