The California legislature has passed a package of legislation focused on data breaches and cybersecurity on the heels of a significant hack at UCLA Health, which compromised the health records of as many as 4.5 million people. The bills set encryption standards as well as notification protocols for when a breach happens.
The first bill expands the definition of “personal information” to include data collected through the use of an automated license plate recognition system. As CivSource has previously reported both law enforcement and private companies are increasingly using license plate readers to track individuals and patterns of crime. The amendments apply to both public and private entities that collect this information and requires that when license plate reader data is collected it is safeguarded. The bill also provides legal redress for individuals who are harmed by a breach of these data.
The second bill codifies the definition of encrypted within state law. Personal information is deemed to be encrypted if it is rendered “unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.”
The final bill changes how notifications must be worded when someone’s data is breached. The changes essentially make notification letters clearer by saying explicitly at the top that a breach has occurred. It also requires new headings like “What Happened,” “What Information Was Involved,” and “What We Are Doing.”
Data breach laws are becoming more and more common as state legislatures catch up to the realities of cybersecurity and vulnerabilities. How those laws are crafted has important implications for privacy and personally identifying information. The security requirements and any limits on data collection included in these laws are important for ensuring data remains out of the hands of adversaries and provide an important check on the growing surveillance state.
Law firm BakerHostetler is keeping a register of data breach laws nationwide, see what your state is doing here.
The full text for all three bills are below: