Latest Alerts
- Colorado Adopts Final Rules to Implement the State’s Privacy Act
(posted: 04/03/2023)The CPA Imposes Requirements On Organizations That Conduct Business In Colorado On March...
- Idaho Extends Unemployment Benefits to Military Spouses and Domestic Violence Victims
(posted: 03/30/2023)The Amendments Provide Some Flexibility To The General Eligibility Criteria On March 21, 2023,...
- Virginia Prohibits Using Social Security Numbers on Employee Badges
(posted: 03/30/2023)Employers Cannot Use Social Security Numbers As Employee Identification Numbers or Include Them...
California Amends Data Breach Notification Law
posted: Thursday, September 22nd
Amendments Effective January 1, 2017
California has amended its data breach notification law to cover certain situations in which encrypted personal information--along with the encryption key or security credential--was (or is reasonably believed to have been) acquired by an unauthorized person.
Amended Law
Under the amended law, a person or company that conducts business in California, and that owns or licenses computerized data that includes personal information, must disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a California resident:
- Whose unencrypted personal information was (or is reasonably believed to have been) acquired by an unauthorized person; or
- Whose encrypted personal information--along with the encryption key or security credential--was (or is reasonably believed to have been) acquired by an unauthorized person and the person or company that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or useable.
Note: The amended law added the second bullet point above.
Definitions
Under the law, "personal information" means either of the following:
- Whose unencrypted personal information was (or is reasonably believed to have been) acquired by an unauthorized person; or
- Whose encrypted personal information--along with the encryption key or security credential--was (or is reasonably believed to have been) acquired by an unauthorized person and the person or company that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or useable.
Note: "Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
"Encryption key" and "security credential" mean the confidential key or process designed to render data useable, readable, and decipherable.
The amendments are effective January 1, 2017. Click here to read the text of the amended law.