California Expands Breach Notification Law to Include Encrypted Data | Practical Law

California Expands Breach Notification Law to Include Encrypted Data | Practical Law

The California Governor has signed A.B. 2828 into law, which amends the state's current breach notification statute to include encrypted personal information, when the encryption key is also obtained.

California Expands Breach Notification Law to Include Encrypted Data

Practical Law Legal Update w-003-5400 (Approx. 3 pages)

California Expands Breach Notification Law to Include Encrypted Data

by Practical Law Intellectual Property & Technology
Published on 21 Sep 2016USA (National/Federal)
The California Governor has signed A.B. 2828 into law, which amends the state's current breach notification statute to include encrypted personal information, when the encryption key is also obtained.
On September 13, 2016, the California Governor signed A.B. 2828 into law, which amends Cal. Civil Code §§ 1798.29 and 1798.82. The law expands the state's breach notification requirement to any person or business doing business in California that owns or licenses encrypted personal information when the encryption key or security credential used to unencrypt the data is also obtained by an unauthorized party.
In particular, the amended statutes will apply to both:
In both circumstances, entities will be required to report the breach if all of the following apply:
  • Encrypted personal information is, or is reasonably believed to have been, acquired by an unauthorized person.
  • The encryption key or security credential is also acquired, or is reasonably believed to have been acquired, by an unauthorized person.
  • The entity believes the encrypted information could be rendered readable or useable.
A.B. 2828 will be effective on January 1, 2017.