Privacy Compliance & Data Security : Data Security Lawyer & Attorney : Fox Rothschild Law Firm : Privacy Rights, Security Breach Responses

In what amounts to a potential, unprecedented victory for consumers’ right to know how their personal information is used by businesses, California's "Right to Know Act of 2013" (AB 1291) made further headway by being re-read and amended a second time on Monday, April 1^st.  As reported by Ars Technica, the Right to Know Act, which was introduced by California Assembly Member Bonnie Lowenthal, was the result of significant lobbying by the Electronic Frontier Foundation and the American Civil Liberties Union of Northern California.

The current summary of the bill states:

(1) Existing law requires a business to ensure the privacy of a customer’s personal information, as defined, contained in records by destroying, or arranging for the destruction of, the records, as specified. Any customer injured by a business’ violation of these provisions is entitled to recover damages, obtain injunctive relief, or seek other remedies.

This bill would create the Right to Know Act of 2013, would repeal and reorganize certain provisions of existing law, and would provide legislative findings in support thereof.

(2) Existing law also requires a business that collects customer information for marketing purposes and that discloses a customer’s personal information to a 3rd party for direct marketing purposes, to provide the customer with whom it had a business relationship, as defined, within 30 days after the customer’s request, as specified, in writing or by e-mail, the names and addresses of the recipients of that information and specified details regarding the information disclosed, except as specified. Existing law requires a business subject to these provisions to provide an address, electronic address, or toll-free telephone or facsimile number that a customer may use to deliver requests for copies of his or her personal information.

This bill would instead require any business that has retains a customer’s personal information, as defined, or discloses that information to a 3rd party, to provide at no charge, within 30 days of the customer’s specified request, a copy of that information to the customer as well as the names and contact information for all 3rd parties with which the business has shared the information during the previous 12 months, regardless of any business relationship with the customer. This bill would require that a business subject to these provisions choose one of several specified options to provide the customer with a designated address for use in making a request for copies of information under these provisions.

(3) Existing law also requires a business that is required to comply with these provisions to provide information to customers regarding its privacy policy and to provide a designated means of preventing disclosure of personal information.

This bill would require a business that is required to comply with these provisions to provide specified notice to the customer of its privacy policies.

(4) Existing law provides that a customer who sustains injury as a result of a violation of these provisions is entitled to specified remedies, including civil penalties.

This bill would also provide that a violation of these provisions is deemed to constitute an injury to the customer for purposes of seeking remedies available under law.

In other words, the Act also provides a private right of action to consumers for businesses that do not comply with the Act.

The EFF appears to be quite pleased with the bill, as noted in its press release on April 2^nd.  The EFF noted that the point of the law if to allow consumers to better understand the vast economy that is data sharing: "This law is about transparency and access, not new restrictions on data sharing. The proposed law wouldn't limit or restrict sales of data, and it wouldn't provide additional security measures for how data is stored or new requirements for anonymization. While those are all important issues to consider, the law is actually far more basic. It helps consumers, regulators, policymakers, and the world at large shine a light onto the largely hidden, highly lucrative world of the personal data economy."

It will be interesting to see (1) if the Act continues toward enactment, (2) how companies outside of California, but with information regarding California residents, implement the law, and (3) if this very European-style law catches on in other states.  

• Print
• Comments
• Trackbacks
• Share Link

Rep. Rick Boucher (D-VA) and Rep. Cliff Stearns (R-FL) proposed federal legislation last week that would create a two tier standard of protection of private information, whereby “covered information” would fall under the standard “opt-out” method and “sensitive information” would fall under an “opt-in” method.

The proposed legislation breathes new life into perennial dead on arrival legislation, and potentially offers something the Obama administration can support in fulfilling its promise to close existing gaps in federal privacy legislation.

The phrase "Sensitive Information" includes any information that relates to the individual's medical records, race or ethnicity, religious beliefs, sexual orientation, financial records or precision geolocation information.

Opponents of the legislation have jumped all over it, claiming that it does not go far enough to protect individuals, especially in the online context. Others cite that European laws remain the gold standard for privacy protection, and that this legislation avoided going that far because of backlash from business.

• Print
• Comments
• Trackbacks
• Share Link

The New York Times had an interesting article on Friday discussing a recent trend in state legislatures to prevent the use of credit reports as a tool for private businesses to screen job applicants.  According to the article, more than a dozen state legislatures are currently considering such legislation.

With the downturn in the economy, the continually rising cost of health care (and the lack of insurance because of unexpected unemployment) and the failure of recently unemployed to change their spending habits, the issue of poor credit has affected more and more individuals.

To fight this potential trend to prohibit the use of credit reports in the hiring process, credit reporting agencies such as TransUnion (you know, one of the companies that sells the credit reports to those private businesses) has lobbied to block such legislation.  A tactic has been to sell the credit report as a mechanism to protect your business and employees.  Don't you care enough to protect your employees, you monster?  This approach is why there are parents paying $800 for a baby stroller.  Apparently, these efforts have been successful in some states, such as California, Maryland and Connecticut.

But what does a tainted credit report really tell you about the applicant?  The article does a keen job of pointing out that there have been no comprehensive studies on the correlations between poor credit and employee fraud and theft, but a small study cited found no such correlation.

If your business does credit checks as part of a background check on a potential employee, I suggest you read the article and consider a few questions.  First, do you get written permission to obtain the credit report?  (You need that written permission under federal law.)  Second, does your human resources staff understand that it cannot make employment decisions based solely on the credit report?  (You should not do that.)  Finally, do you really need the report, meaning does it really tell you anything and, if it does, do you limit your practice of obtaining the report to positions that involve the handling of money or positions that come with other fiduciary responsibilities?

• Print
• Comments
• Trackbacks
• Share Link

A standing room meeting organized by the Federal Trade Commission (FTC) in Washington on Monday, December 7th, highlighted a crucial divide in the discussion over the regulation of online privacy. The New York Times provides an excellent summary of the mainstream newsworthy aspects of the meeting.

While the take away may be that the FTC is taking a more serious look at online privacy and net neutrality, the reality is that any oversight is not going to happen anytime soon. Not anytime soon as in years, if ever. Policy making as the solution is not going to address any immediate concerns or problems.

What may be of more interest is the deep divide between the parties with a vested interest in the outcome of the discussion, namely, the consumer/consumer advocates and parties making money from information that may one day be regulated.

• Print
• Comments
• Trackbacks
• Share Link

It appears that John Connor is not the only thing from the future in Governor Schwarzenegger’s crosshairs. The Governator vetoed the update to California´s landmark privacy protection law (AB 700), known as SB 20, which California’s State Legislature previously approved and we reported about here. SB 20 was proposed by State Senator Joe Simitian (D-Palo Alto).

Simitan, the author of California’s existing privacy legislation (AB 700), created a bill that had no apparent opposition. In fact, Simitan has a record of creating trend-setting legislation in the privacy field, with more than 40 states adopting legislation similar to the legislation that he authored for California (AB 700). Scientific American named Simitan as member of the “Scientific American 50” in 2003 in the “Privacy & Security” category for his work on California’s existing legislation (AB 700).

The California Chronicle quoted Simitan as saying “I’m surprised as well as disappointed by the Governor’s veto. There was no opposition to the bill in its final form. This was a common sense step to help consumers.”

As a refresher, SB 20 would accomplish two major goals. First, SB 20 would have required that the notification letters sent to victims “contain specific information designed to help victims safeguard their privacy. This includes the type of personal information exposed, a description of the incident, and when it took place.”

Second, SB 20 would also have required that parties that have a (single event) data breach that affects more than 500 California residents provide a copy of the notification letter to the state Attorney General’s office.

While the basis for the Governor's veto of SB 20 was not immediately apparent, it is likely that Simitan will reintroduce this legislation with some adjustments.

• Print
• Comments
• Trackbacks
• Share Link

The Office of Consumer Affairs and Business Regulations (OCABR) proposed revisions to the Massachusetts’ identity theft regulations, which would take effect on March 1, 2010.

The proposed regulations can be found here (PDF).  A comparison, or redline, of the proposed regulations to the current regulations can be found here (.DOC).  Finally, a set of frequently asked questions (FAQs) regarding the proposed regulations was prepared by the OCABR and can be found here (PDF), and they are certainly worth a read.

Citing a desire to undertake data security as “a risk-based approach that is especially important to small businesses that may not handle a lot of personal information about customers,” the OCABR emphasized that a business should assess the size and nature of the business, the kinds of records maintained and the risk of the business as an identity theft target when deciding its policies and procedures to handle personal information.

Borrowing from the FAQs above, the OCABR cites four major changes under the proposed regulations:

• As noted above, a risk-based approach to information security is adopted (consistent with other state and federal law). This approach is friendlier to small businesses and does not place the same burdens on travel agencies (collecting little personal information) that may be placed on wealth managers (collecting significant amounts of personal information).
• Many provisions that are currently required under a written information security program have been removed (and would be for guidance purposes moving forward).
• The encryption requirement under the current regulation has been tailored to be technology neutral and technical feasibility has been applied to all computer security requirements. Businesses must still use available, reasonable means if they are available.
• Fourth, the third party vendor requirements have been changed to be consistent with federal law.

One aspect that has NOT been proposed to be changed, and the one aspect of Massachusetts’ cutting-edge privacy regulations, and that (in my experience) most often catches business off guard, is that all means of storage of personal information must be encrypted. This includes hard drives, thumb drives, backup tapes and any other method of electronic storage. Although this encryption requirement is almost certainly the direction most states are headed, this requirement is almost unknown outside of the “privacy community.” As with most laws, ignorance of the requirement is not a defense.

Although the future for the proposed regulations is by no means decided, it is likely that some (if not all) of the proposed changes will see the light of day. We will know more after the public hearings on the revised regulations that are scheduled to occur on September 22, 2009.

• Print
• Comments
• Trackbacks
• Share Link

House Energy and Commerce Communications Subcommittee Chairman Rick Boucher (D-Va.) plans to introduce a bill to provide Web users greater confidence in how information collected online is stored and used. In a hearing held last month, Boucher focused on pipeline providers, such as AT&T, Comcast and Verizon. The panel discussed whether the government should regulate a filtering technology that Internet firms employ for security reasons. This technology, however, can also be used to target advertising by tracking customers' Internet use and compiling detailed customer profiles without their consent.

Boucher has decided to join forces with Energy and Commerce Consumer Protection Subcommittee Chairman Bobby Rush (D-Ill.), who recently introduced the Data Accountability and Trust Act (H.R. 2221). The Data Accountability and Trust Act, in its proposed form, would preempt state data breach notification laws and require entities that collect personal information to implement certain security policies. Boucher and Rush plan to hold a joint hearing this summer to determine how they can combine their efforts. Google and Yahoo have already expressed an interest in testifying at this joint hearing.

• Print
• Comments (1)
• Trackbacks
• Share Link

The U.S. House of Representatives, referred to the House Committee on Energy and Commerce on April 30, 2009, continues to debate, revise and take testimony on a major piece of proposed federal legislation regarding privacy, the Data Accountability and Trust Act (H.R. 2221) (“DATA”).

The proposed DATA legislation has three primary goals. First, DATA would put into place a first of its kind (other than the HITECH Act applicable to medical data, discussed here) federal law regarding the standards for notification of breaches or thefts involving personally identifiable information. DATA would also require that notification be provided to the FTC if there is a breach. Although there is no current requirement of notification to state agencies, DATA does allow state agencies and the FTC to enforce the provisions of DATA. Although almost all states and jurisdictions have data breach notification laws in place, and other states are on the verge of passing new data breach notification laws, a federal law would replace the jumble of standards and reporting requirements. Although privacy proponents summarily applaud the idea of data breach notification standards, fear of putting in place a lower standard than already in place in some jurisdictions continues to cast a shadow over this prospect. As with many state laws, a firm can avoid notifying customers and the FTC if it determines that there is no risk of harm from the breach or theft. This “no risk” standard, however, would be a lesser standard than those states that require reporting regardless of whether there is a risk. Therefore, while preemption is not being dismissed by those following the legislation, a demand for adequate notification standards continues.

• Print
• Comments
• Trackbacks (1)
• Share Link

The Cybersecurity Act of 2009 (PDF link), introduced by Senators John Rockefeller (D-W. Va.) and Olympia Snowe (R-Maine), in no April Fool’s joke.  The proposed law would give President Obama have the power to shut down domestic Internet traffic (services, applications and software) during a state of emergency.  The Committee on Commerce, Science and Transportation will take up this proposed law.

The proposed law would create the Office of the National Cybersecurity Advisor, which would be an extension of the executive branch that would have broad power to control and monitor Internet traffic to protect against cybersecurity threats.  Furthermore, the Commerce Department would be given the ability to bypass every existing law regarding privacy, and access any relevant information regarding citizens and businesses use of the Internet while investigating cybersecurity threats (real and perceived).

The proposed law makes no clear indication of what is meant by the phrases “critical information network” or a “cybersecurity emergency,” instead (broadly) leaving that interpretation to the president.  The Secretary of Commerce would have “access to all relevant data concerning [critical] networks without regard to any provision of law, regulation, rule, or policy restricting such access.”

• Print
• Comments
• Trackbacks
• Share Link