California, which has historically been one of the states at the vanguard of data breach notification issues, has made an update to its statute that takes effect on January 1, 2017. The update will require companies to notify affected individuals of a data breach of encrypted information, if “the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the person or business that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or useable.” For the purposes of the statute, “encryption key” and “security credential” mean “the confidential key or process designed to render the data useable, readable, and decipherable.”
Notably, California is not the first state to require notice for a compromise of encrypted information if encryption key is also compromised. Seventeen other states, including New York and Texas, already included this requirement.
Companies should keep in mind that data breach notification statutes are far from settled, and state legislatures continue to be active in this area. As a result, companies should monitor the data breach notification statutes to ensure that they stay informed of changing obligations in this area.