But, the Data was Encrypted... | California Data Breach Notification Law Amendment

Posted by The ALS Group on Nov 22, 2016 2:52:03 PM


Back in May 2016 I posted a blog (Be Prepared – Data Breach Notification Laws are Changing), which covered how data breach notification laws were evolving.  At that time the state of Tennessee amended its law, becoming the first state in the nation to require notification of any data breach, whether the information is encrypted or not.  I also predicted that state laws would most likely become stricter in the not too distant future…

On January 1, 2017, the state of California’s amended breach notification law will go into effect.  Notification will be required for events where encrypted Personally Identifiable Information (PII) of California residents are breached. Prior to this amendment, California breach notification law only demanded notification if the impacted data was un-encrypted and was acquired by an unauthorized third party.

What is data encryption?

Data encryption translates data into another form, or code, so that only people with access to a secret key (formally called a decryption key) or password can read it.  Encrypted data is commonly referred to as cipher text, while un-encrypted data is called plaintext.  Currently, encryption is one of the most popular and effective data security methods used by organizations.

California Assembly member Ed Chau, author of the state’s consumer protection bill AB 2828 stated, “In an effort to protect consumers after a data breach, AB 2828 requires businesses and government agencies to notify affected consumers where encrypted personal information is disclosed and there is a reasonable belief that encryption keys or security credentials were also compromised and could render the breached information readable or usable,” Chau stated on his website.  “This bill will allow victims to take the necessary steps to protect themselves from fraud and identity theft before the data is used or sold by the hackers.”

We’ll most likely see other states adopt the same types of amendments to their breach notification laws in the near future, forcing companies to respond appropriately and in a timely fashion.  To prepare for these coming changes, it is critical for organizations to:

  • Understand and keep apprised of their state’s breach notification requirements
  • Incorporate breach notification into their Incident Response/Crisis Management plans
  • Ensure that their cyber liability insurance covers breach notification expenses

Failure to provide proper notification in accordance with the law will yield regulatory penalties and brand reputation damage that has the potential to be more costly than any fines.

Click here to request more information about The ALS Group or if you have questions regarding breach notification requirements.

Topics: Breach of Security, California Data Breach Notification Law; Data Brea, Cyber Breach, Cyber Liability, Cyber Risk, Cyber Security, Data Breach, Personally Identifiable Information, PII, Protection Bill AB2828, Risk management, Risk Management Blog

The ALS Group

Risk Management Blog

We manage more than a quarter billion dollars of premiums for a diverse range of clients around the globe. 

Our areas of expertise include:

  • Enterprise Risk Management (ERM)
  • Cyber Security & Cyber Liability Insurance
  • Construction Management
  • Customized Risk Management Assessments (RMAs)

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all