HR Alert

California Amends Data Breach Notification Law

Amendments Effective January 1, 2017

California has amended its data breach notification law to cover certain situations in which encrypted personal information--along with the encryption key or security credential--was (or is reasonably believed to have been) acquired by an unauthorized person.

Amended Law
Under the amended law, a person or company that conducts business in California, and that owns or licenses computerized data that includes personal information, must disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a California resident:

  • Whose unencrypted personal information was (or is reasonably believed to have been) acquired by an unauthorized person; or
  • Whose encrypted personal information--along with the encryption key or security credential--was (or is reasonably believed to have been) acquired by an unauthorized person and the person or company that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or useable.

Note: The amended law added the second bullet point above.

Definitions
Under the law, "personal information" means either of the following:

  • Whose unencrypted personal information was (or is reasonably believed to have been) acquired by an unauthorized person; or
  • Whose encrypted personal information--along with the encryption key or security credential--was (or is reasonably believed to have been) acquired by an unauthorized person and the person or company that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or useable.

Note: "Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

"Encryption key" and "security credential" mean the confidential key or process designed to render data useable, readable, and decipherable.

The amendments are effective January 1, 2017. Click here to read the text of the amended law.


Close
Login to HRSPI Client Portal
Username:
Password:
Forgotten PasswordForgot Password
Executive Search Executive Search

Harrassment Prevention

HRSPI offers comprehensive, interactive, AB 1825 and SB 1343 compliant training. Programs include introduction to recent anti-bullying legislation.

Latest News

News Archives

Latest Blog

Blog Archives