On October 6, California Governor Jerry Brown signed into law two different updates to California’s data breach notification statute. Both updates will become effective on January 1, 2016.
The first update, AB 964, defines “encrypted” for purpose of the statute to mean ”rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information technology.” The second amendment to the statute this year, SB570, requires notices of data breaches that are sent to individuals to be titled “Notice of Data Breach,” and prescribes other format and content options. For example, the notices must include the headings: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.” In addition, the format of the notice must be designed to “call attention to the nature and significance of the information it contains” and the text must be no smaller than 10-point type. To assist with notification, the statute prescribes a model security breach notification form. If a breached entity uses the form with content written in plain language, it is deemed to be in compliance with the notification requirements of the statute.
California continues to be one of the most active and prescriptive states in the area of data breach notification law. In the past, other states have followed California’s lead in adding requirements to their data breach notification statutes. In 2015 alone, Rhode Island, Oregon, Connecticut, North Dakota, Nevada, Wyoming and Montana updated their data breach laws, in addition to California’s revisions. It is likely that 2016 will see a similar, or even greater, level of update activity.