Update to California Breach Reporting Coming Soon - Encryption No Longer Qualifies For Safe Harbor

Update to California Breach Reporting Coming Soon - Encryption No Longer Qualifies For Safe Harbor

Posted by Amy Wood on Oct 6 2016, 11:01 PM

Update to California Breach Reporting Coming Soon - Encryption No Longer Qualifies For Safe Harbor

Governor Jerry Brown signed into law AB 2525 on September 13, 2016, which amends the current data breach notification law.  Businesses are already required to notify individuals whose personal information has been compromised, or breached only in unencrypted form.  Encryption provided a Safe Harbor form reporting a data breach to people, patients, Office for Civil Rights and the State Attorney General.  The passing of AB 2525 takes away that Safe Harbor.  After 1/1/17, notification will be required for all unencrypted data as well as encrypted data that is leaked together with the encryption key or security credential that "could render that personal information readable or usable."

This reinforces what ACS has been saying for several years -- encryption alone is not a silver bullet for security or HIPAA Compliance.  The emphasis really needs to be on Proactive Security and using encryption as the last line of defense after all other avenues of security have been properly utilized.  

Share On

Leave A Reply

Please fill all the fields.

Talk to our experts

Start your journey to compliance by directly interacting with our experts. With extensive years of experience in making dental practices HIPAA Compliant, we provide everything from start to finish to make you compliant, safe, secure, and confident against data breach. Look no further, begin your training today by scheduling a class with our experts!