Back in May 2016 I posted a blog (Be Prepared – Data Breach Notification Laws are Changing), which covered how data breach notification laws were evolving. At that time the state of Tennessee amended its law, becoming the first state in the nation to require notification of any data breach, whether the information is encrypted or not. I also predicted that state laws would most likely become stricter in the not too distant future…
On January 1, 2017, the state of California’s amended breach notification law will go into effect. Notification will be required for events where encrypted Personally Identifiable Information (PII) of California residents are breached. Prior to this amendment, California breach notification law only demanded notification if the impacted data was un-encrypted and was acquired by an unauthorized third party.
What is data encryption?
Data encryption translates data into another form, or code, so that only people with access to a secret key (formally called a decryption key) or password can read it. Encrypted data is commonly referred to as cipher text, while un-encrypted data is called plaintext. Currently, encryption is one of the most popular and effective data security methods used by organizations.
California Assembly member Ed Chau, author of the state’s consumer protection bill AB 2828 stated, “In an effort to protect consumers after a data breach, AB 2828 requires businesses and government agencies to notify affected consumers where encrypted personal information is disclosed and there is a reasonable belief that encryption keys or security credentials were also compromised and could render the breached information readable or usable,” Chau stated on his website. “This bill will allow victims to take the necessary steps to protect themselves from fraud and identity theft before the data is used or sold by the hackers.”
We’ll most likely see other states adopt the same types of amendments to their breach notification laws in the near future, forcing companies to respond appropriately and in a timely fashion. To prepare for these coming changes, it is critical for organizations to:
- Understand and keep apprised of their state’s breach notification requirements
- Incorporate breach notification into their Incident Response/Crisis Management plans
- Ensure that their cyber liability insurance covers breach notification expenses
Failure to provide proper notification in accordance with the law will yield regulatory penalties and brand reputation damage that has the potential to be more costly than any fines.
Click here to request more information about The ALS Group or if you have questions regarding breach notification requirements.