Gov. Jerry Brown announced Tuesday he has signed AB 2828, a bill on data breaches of personal information. The legislation from Assemblymember Ed Chau, D-Monterey Park, expands California's data breach reporting requirements for government agencies, businesses and individuals.
Under the bill, these entities must now give notice to affected consumers and constituents about incidents when encrypted Personally Identifiable Information has been compromised. Previously, the reporting rules only applied when unencrypted personal information was breached.
“In an effort to protect consumers after a data breach, AB 2828 requires businesses and government agencies to notify affected consumers where encrypted personal information is disclosed and there is a reasonable belief that encryption keys or security credentials were also compromised and could render the breached information readable or usable,” Chau said in a statement Tuesday. “This bill will allow victims to take the necessary steps to protect themselves from fraud and identity theft before the data is used or sold by the hackers.”
In supporting the bill, Chau cited a February 2015 data breach of the Anthem health-care insurance company that triggered breach notices to an estimated 80 million Americans. The data was unencrypted. But even if it had been encrypted, Chau noted that the hackers could've accessed the personal information because they accessed at least five sets of employee credentials able to unlock the encryption.
"Encryption is an important tool to secure sensitive data in transit and at rest, but if the credentials and keys to unlock the data are stolen before, during or after a hacking incident, then the stolen data is as good as decrypted," Chau said in his author's statement about the bill.
The bill was supported by the ACLU, California District Attorney Association, Electronic Frontier Foundation and consumer groups.
AB 2828 passed the Assembly floor by a 79-to-1 vote and the Senate floor 39-to-0.
