By Odia Kagan, Philip N. Yannella and Roshni Patel
Three bills that will update California’s data breach notification requirements have been signed into law by Governor Jerry Brown. The bills impose specific requirements on providing breach notification to consumers, add a definition of “encryption,” and amend the definition of “personal information.” These updates take effect on January 1, 2016.
Perhaps the most important of the three bills, S.B. 570, changes how companies must notify consumers of a security breach. The changes include:
A second bill, A.B. 964, clarifies California’s existing data breach notification law by providing a definition of encryption as “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” Under California law, notifications with respect to an information security incident are generally not required for information that is encrypted. The added definition attempts to provide additional clarity to the term by excluding custom and proprietary encryption solutions.
The third bill, S.B. 34, amends the definition of personal information to include information or data collected through the use or operation of automated license plate recognition (ALPR). ALPR is a mass surveillance method that uses optical character recognition on images to read license plates. Existing closed-circuit television or road-rule enforcement cameras can be used, or ones specifically designed for the task. They are used by various police forces and as a method of electronic toll collection on pay-per-use roads and cataloging the movements of traffic or individuals.
With these updates, California continues to be in the forefront of privacy protective legislation. The changes are likely to become a benchmark for compliance for companies with operations and customers throughout the United States.
Members of Ballard Spahr’s Privacy and Data Security Group regularly assist businesses in handling information security incidents and in developing incident response plans.
For more information, contact the authors of this alert, Privacy and Data Security Group Practice Leaders Philip N. Yannella or Daniel JT McKenna, Consumer Financial Services Practice Group Leader Alan S. Kaplinsky, or the Ballard Spahr attorney with whom you work.
Copyright © 2015 by Ballard Spahr LLP.www.ballardspahr.com(No claim to original U.S. government material.)
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.
This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.
For more information about LexisNexis products and solutions connect with us through our corporate site.