[ Thursday, November 17, 2016 ]


California data breach notification law undergoes changes: I don't think this is ultimately as big a deal as I initially thought, but Governor Jerry Brown has signed into law a revision to the California data breach notification law, requiring notification where encrypted data is part of the breach.  Under existing law, if the data is encrypted, no breach notification is required.  Under the new law, if the data is encrypted and lost, and the encryption key is believed to be acquired as well, then reporting is required.  That makes sense, and I would have thought that it would have been the case prior to the law change.  I would have certainly advised California clients to report a breach of encrypted data if the encryption key was compromised as well.  Presumably, if encrypted data is lost but the encryption key remains in safe hands, then no notification is required.

Jeff [3:45 PM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template