Governor Jerry Brown signed AB 964 and SB 570 into law on October 8, 2015, amending California’s data breach notification statute. These amendments became effective on January 1, 2016. Affected California businesses that haven’t already done so need to review their notification procedures and practices to ensure that they are in compliance with data breach laws, as amended.

Recent Changes to California Data Breach Law

As stated by the Office of the Attorney General, businesses and state agencies in California are required by law to notify any state resident when that person’s unencrypted personal information has been, or is reasonably believed to have been, acquired by an unauthorized person. Additionally, any business or person required to notify more than 500 residents as the result of a single breach is also required to submit a copy of the notification — excluding personally identifiable information — electronically to the Attorney General.

The amendments that went into effect on January 1, 2016 provide some clarification for businesses, but they may also serve to make meeting reporting requirements a greater burden. Major changes effected by the new legislation are:

  • AB 964: The bill defines “encrypted” as “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” This definition may help businesses determine when they are required to notify consumers of a data breach. It does not specify any particular method of encryption.
  • SB 570: The content of consumer notices must be formatted in a certain manner, as required by this new data breach law. Included in the bill is a breach notification template that businesses can follow to ensure they are in compliance with the new format.

The notice must be titled “Notice of Data Breach.” The content must be organized under the following headlines, conspicuously and clearly displayed:

    • What Happened
    • What Information Was Involved
    • What We Are Doing
    • What You Can Do

When the only personal information affected is the consumer’s username or email address, there are additional notice requirements under both bills. In that case, businesses may notify consumers in electronic or other form, instructing them to promptly change the password and security question and answer associated with the account; or take appropriate action to protect that account and any others associated with the user name or email address.

Both bills also require that the data breach notice must be conspicuously posted on the business website for at least 30 days, with a link to that notice on the website’s homepage, which must be in a larger or contrasting type or font or otherwise set off. The definition of “personal information” is amended in both bills to include data collected by automated license plate recognition systems.

California Attorneys Who Know Data Breach Law

If you are dealing with a data breach violation or ensuring that your business is compliant with new data breach law, our California general complex litigation attorney at McCuneWright LLP can help. Contact us today. We have the experience and resources to provide the counsel and representation you need in data breach legal matters.