On October 6, 2015, California Governor Jerry Brown signed three bills, passed together as a single legislative package, intended to clarify key elements of the state's data breach notification statutes and provide additional guidance.

AB 964 redefines the term "encrypted" as it is used throughout the data breach notification statutes to mean "rendered unusable, unreadable or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the information technology field."

SB 570 requires covered entities sending out notice of a data breach to title that notification "Notice of Data Breach" and to organize the required information disclosures under the following headings:

Among other requirements, the notification letter must be written in plain language and in a font no smaller than 10 point-type.

SB 34 expands the definition of "personal information" as used in the statutes to include information or data collected through an automated license plate recognition (APLR) system when the information is not encrypted and includes an individual's name. Additionally, APLR operators and end-users must undertake reasonable security measures to protect information gathered by an APLR system. Under SB 34, individuals who have suffered an injury due to violation of these requirements will now have a private right of action.

The new laws will become effective on January 1, 2016.