A timely reminder for the new year: Beginning on January 1, 2012, any businesses that have a data breach must alert the California Attorney General’s office if more than 500 Californians are affected. I’m pretty sure that this does not extend to any sensitive information that was protected with adequate data protection tools, like AlertBoot’s laptop encryption software.
I first mentioned this about 6 months ago, here.
Also, the revised law has requirements on what must be included in the breach notification letters sent to customers:
Must be in plain language
A list of personal information that was breached
The date of the breach
A description of the breach
Whether law enforcement requested a delay in the notification
Instructions on contacting the major credit reporting agencies
I’m not a lawyer, so I’m not sure whether this train of thought makes sense, but under California law “personal information” is defined as:
composed of an individual’s first name or first initial and last name that is combined with one or more of the following data, wherein either the name or the data it is combined with are not encrypted [my emphasis]
In other words, when you use encryption software to protect data, this is no longer personal information. Since it’s not personal information, it can’t lead to a data breach if you lose, say, a laptop with five gazillion names and SSNs.
Hence, encryption provides one with safe harbor from the notification requirements, including the notification to the CA AG.
Related Articles and Sites: