California Legislature Amends Data Breach Notification Rules

With all the attention given to state and national political contests and to state-specific initiatives such as California’s Proposition 64, which paves the way for recreational marijuana use within the state, some other important amendments to state law have received less emphasis than perhaps they deserve. One recent change that many California businesses (and some agencies) can ignore only to their detriment relates to Assembly Bill 2828, which amends California’s breach notification laws. Under the new law, approved by the Governor on September 13, 2016, and which becomes effective January 1, 2017, designated businesses must notify affected account holders and others that a breach has occurred, even if the breach only involves encrypted data. How secure is your web site door?

Existing Breach Notification Rules

Under existing law, notification is required when a California resident’s personal information was, or is reasonably believed to have been, acquired by an unauthorized person, and that personal information was unencrypted. In other words, if such an unauthorized person acquires encrypted personal information, notification is not required.

New Rules

Beginning next year, notification will be required for breaches of encrypted personal information of California residents if:


 Encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person;

 The encryption key (confidential key or process designed to render the data readable) or security credential was, or is reasonably believed to have been, acquired by an unauthorized person; and

 There is a reasonable belief that the encryption key or security credential could render that personal information readable or useable.


Encryption generally refers to a process that converts data into a form that makes it “unreadable” by an unauthorized person. The California data breach notification law generally defines “encryption key” as the confidential key or process designed to render the data readable.

Some Out of State Businesses Are Also Affected

The amended law is applicable to all persons and businesses that own or license computerized data and conduct business in California, as well as state agencies that own or license computerized data. It is possible, therefore, for a non-California business that conducts business within the state to come under the law.

California Was First State to Require Notification

California was the first state in the country to require notification of security breaches. The original law became effective in 2003. The law has been amended numerous times. The last such amendment (prior to AB 2828) was in October 2015, when the definition of “encrypted” was modified and the definition of “personal information” was expanded.

Number of Breaches has Grown in Recent Years

According to organizations such as the Information Systems Audit and Control Association (ISACA), breaches have become all too common. In 2015, for example, more than 150 million personal records were exposed across the country. In 2016, there have been more than 800 significant data breaches. Ransomware attacks, where a hacker encrypts data until the victim agrees to pay a ransom to obtain the encryption key, have increased by more than one-third. Recent studies indicate that the cost to companies of dealing with data breaches continues to increase, with estimates of more than $150 per lost or stolen record.

Many Businesses Don’t Know They Are Vulnerable

If your California business electronically maintains personal information about personnel or customers, you may be vulnerable to a data breach. Your current business practices may not conform to California law. Failure to follow the data breach law can have expensive consequences for your business. The law firm of CKB VIENNA LLP provides commercial legal advice and counsel to nearly every type of business, from Fortune 500 corporations to startups and nonprofits. Our attorneys provide specialized legal/business consulting services and offer guidance designed to avoid the consequence and cost of litigation including compliance with laws such as those amended by Assembly Bill 2828. CKB VIENNA LLP has a long history of representing clients in all types of business issues. We have offices in Rancho Cucamonga, San Bernardino, and Los Angeles. Contact us by telephone at 909.980.1040 or complete our online form.