Under New Data Breach Bill, Encryption No Longer Offers Automatic Bye
September 26, 2016
The California Legislature enacted AB 2828 to further strengthen consumer protections in the event of a data breach. The existing laws include a safe harbor that generally exempted compromise of encrypted personal information from the law’s notification provisions. The inclusion of the safe harbor was intended to incentivize companies to encrypt personal information under their control. The Legislature has determined that the protections offered by encryption can be defeated when the encryption key used to decrypt data and security credentials are taken together with consumer data during a data breach. AB 2828, which was signed by the governor, amends the data breach laws for both companies and agencies by removing the safe harbor if the keys to the encryption or security credentials are believed to have been acquired. See CBA’s Regulatory Compliance Bulletin for more information.