California Breach Notice Amendment Effective January 1: Are Your Forms Ready?

California recently amended its breach notification statute to require a specific format of notification. The amendment will take effect January 1, 2016. The California breach notice format is now one of the most specific, requiring that individual notices include the title “Notice of Data Breach,” be in at least 10-point type, be written clearly and conspicuously and in plain language, and be organized under the specific headings set forth in the form notice below:

 

The amendments also expand the definition of “personal information” to include “information or data collected through the use or operation of an automated license plate recognition system, as defined in Section 1798.90.5.” Further, “encrypted” is now defined as “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” Lastly, for purposes of substitute notice, the amendment clarifies that “conspicuous notice” means that the notice posted on the notifying entity’s website must be posted for a minimum of 30 days and include a link to the notice on the home page or first significant page after entering the web site that is in larger type than the surrounding text or in contrasting type, font, or color to the surrounding text, or set off from the surrounding text by symbols or other attention-drawing marks.

Tip: This amendment is a reminder to companies to ensure that when providing notice after a breach, they are following states’ most current notice requirements. Companies that include in their incident response plans form notices intended to address the notice requirements of all jurisdictions should check to make sure that those forms cover this new format.