On September 13, 2016, Governor Jerry Brown signed AB 2525, which amends the state’s data breach notification law (California S.B. 1386) requiring businesses to disclose data breaches to individuals whose personal information has been compromised. Currently, the law only requires businesses to disclose breaches where “unencrypted” information is breached. Under the new amendment, however, businesses must soon disclose breaches even when “encrypted” information has been acquired in an unauthorized breach. Under the amended law, as of January 1, 2017, the notification obligation will be triggered where encrypted data is leaked together with the encryption key or security credential that “could render that personal information readable or useable.”
Read more on Lexology