EdLawConnect Blog

Materials distributed during our Education Law Technology Symposium in September 2015 included pending federal and state bills, the passage of which would affect colleges and universities, community colleges, and K-12 school districts in California. Governor Brown signed into law two bills mentioned in those materials, Senate Bill 570 and Assembly Bill 964, which relate to obligations of agencies in the event of a data breach.

Existing law requires a person or entity conducting business in California or any state or local agency that owns or licenses computerized data that includes personal information to disclose a breach of the security of the system following discovery or notification of the security breach to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system. (California Civil Code sections 1798.29 and 1798.82.)

Together, Senate Bill 570 and Assembly Bill 964 amend Civil Code sections 1798.29 and 1798.82 to require a security breach notice to be written in plain language and titled “Notice of Data Breach.” Information required in the notice must be organized under specified headings: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.”  Additional information may be added. The notice format must be designed to call attention to the nature and significance of the information it contains, the title and headings must be clearly and conspicuously displayed, and the text of the notice must be no smaller than 10-point type. A model written notice, as provided in the statute, may be used for compliance or the agency may use its own form incorporating the required title, headings, and notice information written in plain language. Use of the title, headings and required information written in plain language is required for electronic notice.

The notice must be conspicuously posted on the agency’s website for a minimum of 30 days.  Conspicuous posting means providing a link to the notice on the home page or first significant page that is in larger type than surrounding text, or contrasting text, or set off by symbols or other marks calling attention to the link.

The bills also added “information or data collected through the use or operation of an automated license plate recognition system per Section 1798.90.5” to the definition of personal information covered by this section. They also amended Civil Code sections 1798.29 and 1798.82 to define “encrypted” to mean rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.

Because public educational institutions are “local agencies” that maintain computerized data that includes personal information, these requirements apply to California schools, colleges and universities as of January 1, 2016. Having a data breach notification form that complies with these provisions is an important component of an overall data breach action plan. Our firm is available to provide assistance in developing data breach plans to fit the needs of individual institutions.