Privacy Compliance & Data Security : Data Security Lawyer & Attorney : Fox Rothschild Law Firm : Privacy Rights, Security Breach Responses

It appears that John Connor is not the only thing from the future in Governor Schwarzenegger’s crosshairs. The Governator vetoed the update to California´s landmark privacy protection law (AB 700), known as SB 20, which California’s State Legislature previously approved and we reported about here. SB 20 was proposed by State Senator Joe Simitian (D-Palo Alto).

Simitan, the author of California’s existing privacy legislation (AB 700), created a bill that had no apparent opposition. In fact, Simitan has a record of creating trend-setting legislation in the privacy field, with more than 40 states adopting legislation similar to the legislation that he authored for California (AB 700). Scientific American named Simitan as member of the “Scientific American 50” in 2003 in the “Privacy & Security” category for his work on California’s existing legislation (AB 700).

The California Chronicle quoted Simitan as saying “I’m surprised as well as disappointed by the Governor’s veto. There was no opposition to the bill in its final form. This was a common sense step to help consumers.”

As a refresher, SB 20 would accomplish two major goals. First, SB 20 would have required that the notification letters sent to victims “contain specific information designed to help victims safeguard their privacy. This includes the type of personal information exposed, a description of the incident, and when it took place.”

Second, SB 20 would also have required that parties that have a (single event) data breach that affects more than 500 California residents provide a copy of the notification letter to the state Attorney General’s office.

While the basis for the Governor's veto of SB 20 was not immediately apparent, it is likely that Simitan will reintroduce this legislation with some adjustments.

• Email This
• Print
• Comments
• Trackbacks

The Office of Consumer Affairs and Business Regulations (OCABR) proposed revisions to the Massachusetts’ identity theft regulations, which would take effect on March 1, 2010.

The proposed regulations can be found here (PDF).  A comparison, or redline, of the proposed regulations to the current regulations can be found here (.DOC).  Finally, a set of frequently asked questions (FAQs) regarding the proposed regulations was prepared by the OCABR and can be found here (PDF), and they are certainly worth a read.

Citing a desire to undertake data security as “a risk-based approach that is especially important to small businesses that may not handle a lot of personal information about customers,” the OCABR emphasized that a business should assess the size and nature of the business, the kinds of records maintained and the risk of the business as an identity theft target when deciding its policies and procedures to handle personal information.

Borrowing from the FAQs above, the OCABR cites four major changes under the proposed regulations:

• As noted above, a risk-based approach to information security is adopted (consistent with other state and federal law). This approach is friendlier to small businesses and does not place the same burdens on travel agencies (collecting little personal information) that may be placed on wealth managers (collecting significant amounts of personal information).
• Many provisions that are currently required under a written information security program have been removed (and would be for guidance purposes moving forward).
• The encryption requirement under the current regulation has been tailored to be technology neutral and technical feasibility has been applied to all computer security requirements. Businesses must still use available, reasonable means if they are available.
• Fourth, the third party vendor requirements have been changed to be consistent with federal law.

One aspect that has NOT been proposed to be changed, and the one aspect of Massachusetts’ cutting-edge privacy regulations, and that (in my experience) most often catches business off guard, is that all means of storage of personal information must be encrypted. This includes hard drives, thumb drives, backup tapes and any other method of electronic storage. Although this encryption requirement is almost certainly the direction most states are headed, this requirement is almost unknown outside of the “privacy community.” As with most laws, ignorance of the requirement is not a defense.

Although the future for the proposed regulations is by no means decided, it is likely that some (if not all) of the proposed changes will see the light of day. We will know more after the public hearings on the revised regulations that are scheduled to occur on September 22, 2009.

• Email This
• Print
• Comments
• Trackbacks

House Energy and Commerce Communications Subcommittee Chairman Rick Boucher (D-Va.) plans to introduce a bill to provide Web users greater confidence in how information collected online is stored and used. In a hearing held last month, Boucher focused on pipeline providers, such as AT&T, Comcast and Verizon. The panel discussed whether the government should regulate a filtering technology that Internet firms employ for security reasons. This technology, however, can also be used to target advertising by tracking customers' Internet use and compiling detailed customer profiles without their consent.

Boucher has decided to join forces with Energy and Commerce Consumer Protection Subcommittee Chairman Bobby Rush (D-Ill.), who recently introduced the Data Accountability and Trust Act (H.R. 2221). The Data Accountability and Trust Act, in its proposed form, would preempt state data breach notification laws and require entities that collect personal information to implement certain security policies. Boucher and Rush plan to hold a joint hearing this summer to determine how they can combine their efforts. Google and Yahoo have already expressed an interest in testifying at this joint hearing.

• Email This
• Print
• Comments (1)
• Trackbacks

The U.S. House of Representatives, referred to the House Committee on Energy and Commerce on April 30, 2009, continues to debate, revise and take testimony on a major piece of proposed federal legislation regarding privacy, the Data Accountability and Trust Act (H.R. 2221) (“DATA”).

The proposed DATA legislation has three primary goals. First, DATA would put into place a first of its kind (other than the HITECH Act applicable to medical data, discussed here) federal law regarding the standards for notification of breaches or thefts involving personally identifiable information. DATA would also require that notification be provided to the FTC if there is a breach. Although there is no current requirement of notification to state agencies, DATA does allow state agencies and the FTC to enforce the provisions of DATA. Although almost all states and jurisdictions have data breach notification laws in place, and other states are on the verge of passing new data breach notification laws, a federal law would replace the jumble of standards and reporting requirements. Although privacy proponents summarily applaud the idea of data breach notification standards, fear of putting in place a lower standard than already in place in some jurisdictions continues to cast a shadow over this prospect. As with many state laws, a firm can avoid notifying customers and the FTC if it determines that there is no risk of harm from the breach or theft. This “no risk” standard, however, would be a lesser standard than those states that require reporting regardless of whether there is a risk. Therefore, while preemption is not being dismissed by those following the legislation, a demand for adequate notification standards continues.

• Email This
• Print
• Comments
• Trackbacks (1)

The Cybersecurity Act of 2009 (PDF link), introduced by Senators John Rockefeller (D-W. Va.) and Olympia Snowe (R-Maine), in no April Fool’s joke.  The proposed law would give President Obama have the power to shut down domestic Internet traffic (services, applications and software) during a state of emergency.  The Committee on Commerce, Science and Transportation will take up this proposed law.

The proposed law would create the Office of the National Cybersecurity Advisor, which would be an extension of the executive branch that would have broad power to control and monitor Internet traffic to protect against cybersecurity threats.  Furthermore, the Commerce Department would be given the ability to bypass every existing law regarding privacy, and access any relevant information regarding citizens and businesses use of the Internet while investigating cybersecurity threats (real and perceived).

The proposed law makes no clear indication of what is meant by the phrases “critical information network” or a “cybersecurity emergency,” instead (broadly) leaving that interpretation to the president.  The Secretary of Commerce would have “access to all relevant data concerning [critical] networks without regard to any provision of law, regulation, rule, or policy restricting such access.”

• Email This
• Print
• Comments
• Trackbacks