Beginning on January 1, 2017, organizations in California cannot automatically assume that personal details are safe if they were encrypted at the time of a data breach. This, in turn, means that businesses and other organizations will have to give some thought as to whether a data breach must be made public.
Encrypted Personal Information Could Trigger Breach Notification
Per natlawreview.com, California’s AB 2828 contains this update:
Beginning in 2017, notification will be required for breaches of encrypted personal information of California residents under the following conditions:
encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person,
the encryption key (confidential key or process designed to render the data readable) or security credential was, or is reasonably believed to have been, acquired by an unauthorized person, and
there is a reasonable belief that the encryption key or security credential could render that personal information readable or useable.
As you can see, all three of the above conditions must be satisfied for the breach notification to go into effect. This is only sensible.
One of the contentious aspects of the original California data breach notification legislation, from back in 2003, was that companies need not report a data breach if data was encrypted, regardless of the details surrounding the data breach. This is problematic: What if the encryption key or the password for accessing the encrypted data was also stolen along with the protected data? Does that merit a respite from notifying people?
While the spirit of the law may have been that companies should go public with the situation, the truth is that the law had a loophole that allowed the opposite. Since the law stated that the loss or theft of encrypted data was excluded from the definition of a data breach, companies were free to do whatever they wanted if, say, an encrypted laptop was stolen… but the password to it was taped to the bottom of the device.
This latest update closes the loophole.
A second criticism was that the legal definition of encryption was not as stringent as it should have been. The data security community pointed out that in the initial version of the breach notification law, “hashing” could also be seen as “encryption” based on how the latter was defined in the books.
(Hashing is essentially the practice of feeding data to an algorithm and consistently getting the same result for the input. For example, the input is “as” and the output is always “3n23nfs9d2.” Producing the output is a complex process. But, as a security measure it’s moot if you decide to feed the algorithm as many inputs as possible; note the result; and link and save both of them in a file to look it up later).
In the past ten years, we’ve seen how that turned out. Not only is hashing not enough, apparently salted hashes (where random data is added to the original input, making the output harder to reverse engineer) offer subpar security as well. Whether adequate security was in place depends on what was used and how it was implemented, along with many other factors.
The definition of encryption in California was amended quite recently, it seems, by including that it is a “security technology or methodology generally accepted in the field of information technology.”
It only took ten-plus years since the initial criticism.
A History of Updates and Upgrades
Looking back on this blog’s entries, it’s apparent that California has been doing the best job when it comes to data breach notifications. It’s not only the first state that passed such a law, even beating to the punch the US federal government, it has also regularly updated the original bill.
At the beginning, only “personal information” was covered (i.e., names and SSNs, plus some other sensitive data). Later, medical information was brought into the fold as well.
The law was amended so that the state’s AG is alerted if more than 500 Californians are affected.
The breach notification’s content and format was also legislated so that companies would be forced to declare things transparently, at least to a point. (You’d be amazed how many companies would employ verbal judo and write two or three pages with words that mean absolutely nothing in the end).
I guess, under the circumstances, the California should be applauded for continuously improving the law that covers data breaches and the notification thereof.
Of course, if they really wanted to effect changes, they’d heavily fine companies that don’t satisfy a certain security standard. That’s what the federal government did with HIPAA/HITECH, and it really lit a fire under HIPAA covered entities once Massachusetts General Hospital was fined $1 million.
Related Articles and Sites: