California Passes Law Requiring Data Breach Notification for Stolen Encryption Keys

Everett Monroe
September 14, 2016

Governor Brown signed into law AB 2828, which will update California’s breach notification statute.  The law addresses encrypted Personally Identifiable Information that has been breached in the event that the encryption keys are also compromised. The law will go into effect January 1st.

AB 2828 seeks to close a loophole in California’s current data breach notification law, Civil Code Section 1798.82, under which a business must notify affected persons of a data breach where unencrypted personal information is lost. Presently, Section 1798.82 does not expressly require notification where the lost data was encrypted and the encryption key was also lost or improperly disclosed. That data would be at as much risk as unencrypted information, but there is no requirement to notify affected individuals. But requiring companies to report all data breaches where encrypted information was lost but the key remains secure may result in notifications to individuals who are not in serious risk of identity theft, fraud, or loss of privacy.

Some states address this issue by using broad language that requires business to report data breaches where there is a reasonable belief that the data could be accessed or used. While this may effectively describe a meaningful policy goal, such language does not provide the clear direction businesses need as to when to report. Comparatively, California’s amendment articulates a much clearer expectation.

Notes of caution: The new amendment does not require that the encrypted data and the encryption key be lost at the same time or to the same unauthorized person, meaning that businesses may now have to keep better track of lost data over time. The duty to notify could now come long after the initial breach, at the moment that the encryption key is acquired. Moreover, the boot state of a device – whether or not it is off, in sleep mode or actively booted now comes into play.  If an encrypted laptop or other mobile device is lost while still booted, the encryption key may be recovered from active memory, creating another level of uncertainty.