Governor Jerry Brown signed into law AB 2525 on September 13, 2016, which amends the current data breach notification law. Businesses are already required to notify individuals whose personal information has been compromised, or breached only in unencrypted form. Encryption provided a Safe Harbor form reporting a data breach to people, patients, Office for Civil Rights and the State Attorney General. The passing of AB 2525 takes away that Safe Harbor. After 1/1/17, notification will be required for all unencrypted data as well as encrypted data that is leaked together with the encryption key or security credential that “could render that personal information readable or usable.”
This reinforces what ACS has been saying for several years — encryption alone is not a silver bullet for security or HIPAA Compliance. The emphasis really needs to be on Proactive Security and using encryption as the last line of defense after all other avenues of security have been properly utilized.