You might think this is obvious, but just in case it is not, California wants to make this clear. It used to be, in California, that if you had sensitive data encrypted and that data was stolen, you didn’t have to tell people because, after all, it was encrypted.
But there is a rub with that. In most cases, when an authorized user accesses the data, that user does not have to enter the decryption key, right? So where is the key? In some cases, the key is hard coded into the program. In other cases, the key is in a configuration file and in a relatively small number of cases, the key is stored in a device called a hardware security module or HSM. But HSMs are expensive and add a degree of complexity, so most companies don’t use one. Amazon and some other cloud services support HSMs, but you have to pay extra for them.
So what this means is that a lot of the time, when a hacker breaks into a system and the data is encrypted, the decryption key is right there for the hacker to take as well. That is why sometimes you hear about a breach and they say “even if the data was encrypted it would not have solved the problem”.
So here is what CA AB 2828 says.
- If a system is breached and
- Encrypted personal information was or was reasonably be believed to have been taken and
- The encryption key or other decryption credentials was or was believed to have been taken and
- There is a reasonable belief that the encryption key or other credentials could make that data readable
Then you are required to make a breach notification.
This law goes into effect January 1, 2017.
Once this law goes into effect, even if the data is encrypted, you will need to be able to show, in case of a breach, that the hacker did not access the decryption keys. This may require additional logging or auditing and you have to save that audit trail so that you can use it years later in case of a lawsuit. Your operations team will likely need to make changes in order to do this.
Remember that with state breach notification laws, it matters where the person who’s data was breached lives, not where your office is, so if you are in Colorado but you have customers in California, California may come after you in the case of a breach.
Whether you are worried about the California law or not (and some other states have breach laws that require notification whether the data is encrypted or not), now would be a good time to consider whether your encryption will stop a hacker who breaks into your system from reading your data. Dealing with a breach is expensive, hurts your reputation and may cost you customers. Avoiding a reportable breach just makes good business sense, independent of the law.
Information for this post came from National Law Review.