Breach notification after CCPA: Will encryption ‘save the day’?
Co-authored by: Cyrus Bhorhani (@CyrusB27)
Privacy Rights Clearinghouse reported since 2005 there have been a total of 8,804 data breaches made public, resulting in 11,575,804,706 records being compromised. Thus far in 2019, there have been 58 data breaches made public resulting in 1,396,634 records being compromised. This growing problem sparked state lawmakers to implement data breach notification statutes. In 2002, California was the first state to enact data breach notification legislation, which provided an example for other states to follow. Since then, forty five states have enacted their own data breach notification legislation.
Data Breach Framework
California’s data breach framework provides all California residents the right of notification when there is a security breach within a company that does business within California. A security breach is typically defined as an unauthorized acquisition of computerized data that compromises the confidentiality, integrity, or security of personal information maintained by the entity. Personal information, for purposes of data breach notification, include a person’s first and last name in conjunction with any of the following additional data elements: (1) person’s social security; (2) driver’s license number; (3) person’s medical information or health insurance information; (4) person’s account or debit card number. Of note, currently the definition of personal information for purposes of data breach notification, excludes passport numbers and biometric information; however, a recent bill was introduced to amend the definition to include them.
California law requires a data breach notification to include specific elements including: (1) indicate who is issuing the notification; (2) a general description of the breach; (3) identification of what information was involved in the data breach; (4) where there was a delay in providing the notification due to an investigation by law enforcement; (5) what the entity is doing to resolve the problem; (6) what victims can do to protect themselves; (7) where to find more information about the data breach. The Attorney General’s office also encourages, at discretion of the business, to include the following: (a) info. re what person or business has done to protect individuals whose info. has been breached; (b) advice on steps that the person whose info. has been breached may take to protect him or herself.
California’s data breach notification requirements also take into account the sectoral approach to privacy that has been present in the United States for decades. For example, a covered entity under HIPAA will be deemed to have complied with the notice requirements if it has complied completely with HIPAA. Furthermore, all insurers, insurance producers, and insurance support organizations must provide the insurance commissioner with any notices or information that is submitted to the AG’s office. Finally, for large scale breaches, where the company is required to notify more than 500 CA residents as a result of a single breach, California data breach law requires a copy of the security breach notification be sent to the Attorney General (AG).
Business Leeway and the Encryption Exemption
California law does provide some flexibility to businesses, specifically exempting mandatory notification, so long as, the data was encrypted. This means the data must have been rendered unusable, undecipherable, or unreadable to the unauthorized person who accessed the data. Furthermore, the company must follow through with the notification in the most expedient time possible and without unreasonable delay. Because there is no explicit deadline, this may give companies some time in responding to the breach.
When encrypted data is compromised, it is important for the business to determine whether the encryption key has also been accessed. While generally speaking a breach of encrypted data does not trigger a mandatory notification requirement, when the encryption key is also accessed or exposed, then the company is required to notify. Courts look at whether the controller of the personal information had a reasonable belief that the encryption key or security credential could be used to render the encrypted personal information readable or usable.
Data Breach Notification under the CCPA
Since enactment of the initial data breach notification legislation, the California Consumer Privacy Act (CCPA) has been enacted. The CCPA officially added a private right of action for data breaches to consumers (barring any amendments from the Attorney General’s Office). This framework gives the right to sue to any consumer whose non-encrypted personal information is subject to unauthorized access, exfiltration, theft, or disclosure as a result of failing to maintain reasonable security procedures and practices. A plaintiff can recover damages in an amount no less than $100 and not greater than $750 per incident or actual damages, whichever is greater. Furthermore, this also includes injunctive or declaratory relief. While the damage numbers seem low on their face, the overall impact could be much greater due to the potential for class actions.
Practical Consequences and Concluding Thoughts
Any company doing business in multiple states should maintain a list of the data breach notification requirements for each state, as well as, the amount of data from citizens of that state. This helps ensure that mandatory breach notification requirements are met, as they could be different from state to state.