Breach notification requirements in California have been bolstered by new laws that clarify the definition of encryption as it applies to personal information and establishes uniform standards for the language that must be used in notifications to individuals. The new law also establishes a model security breach notification in which information written in plain English is presented under prescribed headings. HIPAA Covered Entities are exempted from the requirement to use the model notice although their communications must use the prescribed section heading and plain language descriptions.
The amendments require that the notification sent to individuals be titled “Notice of Data Breach” and shall include the following information under prescribed headings:
- Name of Institution
- Date of Notice
- What Happened
- What Information Was Involved
- What We Are Doing
- What You Can Do
- Other Important Information (additional information to supplement the notice)
- For More Information: Call [telephone number] or go to [Internet website]
Although HIPAA covered entities are not required to use the Model Notice, the notification must contain the headings and information as proscribed in the statute.
Model Notice Prescribed by Statute (HIPAA Covered Entities Exempt)
A notice meeting the new California requirements for the format and type of information to be provided in a “Notice of Data Breach” is similar to the standards established by the U.S. Department of Health and Human Services for the individual notification by a HIPAA covered entity or a business associate in the event of a breach of protected health information. The Breach Notification Rule requires that a notice to the individual must include a description of the breach, the types of information that were compromised, steps affected individuals should take to protect themselves, what steps the covered entity is taking to investigate the breach as well as mitigate the harm caused by the incident and prevent further breaches. This would mean that a HIPAA covered entity or business associate could send one notice to individuals affected by a breach that would satisfy both the California and federal requirements.
The amendments to the California breach notification statute also amend the definition of the word “encrypted” which is now defined as data that have been “rendered, unusable, unreadable or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” The amendment does not alter the current safe harbor from the requirements of the breach notification statute enjoyed by disclosures of encrypted personal information. For example, a stolen laptop on which patient health information or financial information is stored would not be reportable under the state breach notification laws if the laptop was “encrypted”.
The definition of encryption is broader than the federal standard adopted in guidance in conjunction with the HITECH Breach Notification Rule. OCR’s Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals links encryption to employing processes or technologies consistent with guidelines established by the National Institutes of Standards and Technology (NIST). The California statute will permit the information to be considered “encrypted” regardless of the specific technology. Thus, an incident resulting in disclosure of “hashed” passwords may not trigger a violation of the notification requirements.
The amendments to the California breach notification statutes apply to all persons and businesses that do business in California and to all California governmental agencies. This new law took effect on January 1, 2016. Have questions about the new breach law for California? Contact us to learn more.