Many companies that possess computer data containing personal information relating to individuals take the precaution of encrypting that data so that is more difficult to be compromised. “Encryption” is a process that converts the data into a form that is unreadable without an encryption “key,” which renders the data readable.Up until January 1, 2017, California law only required businesses that own or license computerized data with personal information to disclose a data breach to a California resident when that individual’s unencrypted personal information has been compromised. As the result of an amendment that Governor Brown signed into law last year, California’s data breach notification law now also requires disclosure of a breach of encrypted data under certain circumstances.
Specifically, the law now requires notification of a breach when (a) there is unauthorized acquisition of both encrypted personal information and the encryption key or security credential, and (b) the business has a reasonable belief that the encryption key or security credential could render such personal information readable or useable.
This law applies to all persons and businesses that own or license computerized data and conduct business in California, as well as state agencies that own or license computerized data.
EDGAR LEGAL GROUP 