29 September 2016
The Governor of California, Jerry Brown, signed, on 13 September 2016, Bill AB-2828 into law, which amends Sections 1798.29 and 1798.82 of the California Civil Code that relate to data breach notification. In particular, the amendments require a person or business operating in California, and any agency that owns or licences computerised data including personal information, to disclose breaches of encrypted data to affected individuals, if the encryption key is or is believed to be compromised.
Timothy Toohey, Attorney At Law at Greenberg Glusker Fields Claman & Machtinger LLP, told DataGuidance, “California’s data breach notification law was the first of its type and is generally considered a model of its kind. The law has gradually evolved and been changed over many years to incorporate different types of personal information, such as usernames and passwords. The recent amendment to the law is a common sense one. If the encryption code is breached, the encryption would be rendered useless because the hacker could simply apply the breached encryption code to the data.”
In particular, the original version of California’s data breach notification law from 2002 introduced an exception for ‘encrypted’ information and prescribed that the loss of such data would not trigger notification obligations.
Alex C. Lakatos, Partner at Mayer Brown LLP, commented, “Many professionals already considered the compromise of an encryption key to mean that the related data was not actually encrypted. Additionally, other states have already had substantially compromised encryption key provisions in place for several years (e.g., Massachusetts and Oregon since 2007) and businesses have managed to adapt their systems to those requirements. In fact, I would even go so far as to say that the California amendments provide greater certainty to businesses by specifying more precisely when they may rely on the exemption from notification.”
Hackers are increasingly able to access encryption keys associated with personal data, and can then misuse the data as if it had never been encrypted in the first place.
Over the years, California passed a number of amendments to foster consumer protection through its data breach notification law. Amendments from 2015 clarified a concept of ‘encrypted data’ defining it as ‘data rendered unusable, unreadable, or indecipherable to an unauthorised person through a security technology or methodology generally accepted in the field of information security.’
Joan Antokol, Partner at Park Legal LLC, highlighted, “While many people assume that encrypted data is fully protected, these days this is not necessarily the case. Hackers are increasingly able to access encryption keys associated with personal data, and can then misuse the data as if it had never been encrypted in the first place. This is the case in relation to Secure Sockets Layer (‘SSL’) websites, which were once considered the gold standard for transmitting encrypted data over the internet.”
SSL was used for more than 20 years as an encryption protocol, however, various unfixable vulnerabilities led to the development of other stronger methods.
Scott Koller, Counsel at Baker Hostetler, noted, “I think a bigger issue, which has not been addressed, is how do you take into consideration the unauthorised acquisition of encrypted data where the decryption key was not compromised, and yet by virtue of the type of encryption used could be rendered readable. For example, if the encryption strength is too weak (such as 64 or 128 bit encryption), flawed encryption (such as Dual_EC_DRNG), where the encryption has been implemented incorrectly or in a way that makes it possible to brute force the key (such as the failure to salt the password).”
Bill A.B. 964 requires encryption standards used to protect data to be ‘generally accepted in the field of information security.’ In order to determine what would be considered as methodology satisfying this requirement the California Attorney General published, in 2013, a non-binding guidance providing that “data encryption should meet the National Institute of Standards and Technology’s Advanced Encryption Standard.”
Lakatos concluded, “I think it is important to remember that lawyers and business line personnel need to include technical experts in their evaluations of data breaches to ensure that they understand what has occurred from a technological standpoint, before they move on to analysing the legal and other implications. A technical expert would be able to identify the difference and work with the lawyer to explain to the business line why notification still may be required.”
Agata Dziedzic | US Privacy Analyst