Posted on January 13, 2012 by Candace J. Martin

California Attorney General Launches On-line Breach Reporting Form

The California Attorney General recently launched an on-line form for businesses to report breaches of security. Effective January 1 of this year, any person or business who issues a breach notification to more than 500 California residents as a result of a single breach is required under the California breach law ((California Civil Code s. 1798.29(a) and California Civ. Code s. 1798.82(a)) to submit notice of the breach to the California Attorney General. The form requires businesses to upload a copy of a sample breach notification form and to submit additional information related to the breach, including:

·         The Date of the breach

·         Date notice was provided to affected individuals

·         Type of personal information involved

·         Type of breach

In addition to the on-line reporting form, the new site also includes a section where residents can view a listing of all breaches that have been submitted to the Attorney General’s office.

Tags: , , , ,
Posted on September 6, 2011 by Timothy Tobin

California Amends its Data Breach Notification Law

A new amendment to California’s security breach notification statute establishes specific content requirements for data breach notifications and imposes a new Attorney General notification requirement for breaches affecting more than 500 California residents. Senate Bill 24 (“SB 24”) was signed on August 31, 2011 by California governor Jerry Brown and will take effect January 1, 2012.  Since 2003, following California's enactment of the first of its kind data breach notification laws (Cal. Civ. Code §§ 1798.29 & 1798.82) California law has required any person, business or state agency that owns or licenses computerized data that includes certain personal information to notify individuals when there has been a breach of personal information, but did not specify the type of information that should be contained in the notification.  California now joins the ranks of several other states whose data breach notification laws contain breach notification content mandates. 

SB 24 requires all breach notifications to include the name and contact information of the notifying person or entity and a list of the types of personal information compromised, or reasonably believed to have been compromised. The notifying person or entity must also provide the toll-free telephone numbers and addresses of the three major credit reporting agencies – TransUnion, Equifax and Experian – if the breach exposed a Social Security number, driver’s license, or California card identification number.   Notifications must also be written in “plain language” and provide a general description of the breach if this information has been determined.

If it is possible to determine at the time of the breach, the notification must provide the date of the breach, an estimated date of the breach, or a date range within which the breach occurred. Each notice should include the date of the notice. The notification must also state whether the notification was delayed because of a law enforcement investigation.  The law allows, but does not require, the person or business to provide information regarding what the person or business has done to protect individuals whose information has been breached and recommendations on how individuals can protect themselves.

Special requirements also apply to larger-scale breaches. The law requires any agency, person or business that notifies more than 500 California residents to submit a single sample copy of the notification - excluding any personally identifiable information - to the Attorney General. 

In addition, SB 24 provides that HIPAA covered entities following the HITECH Act breach notice requirements will be deemed in compliance with the SB 24 content requirements, but such entities will still have to comply with the Attorney General notice provision.

SB 24 follows recent proposals at the federal level to implement a nationwide data breach notification requirement. See our recent post here for more information.    
Tags: , , , , , , , , , , , , , ,
Posted on August 25, 2009 by Tulasi Leonard

Ninth Circuit Rules on CAN-SPAM Standing Requirements

The U.S. Court of Appeals for the Ninth Circuit held on August 6, 2009 that standing for private plaintiffs under the CAN-SPAM Act is limited.  Judge Richard Tallman, who authored the court's opinion in Gordon v. Virtumundo, Inc., No. 07-35487 (Aug. 6, 2009, 9th Cir.), noted that this was the first case in which the Ninth Circuit had attempted to comprehensively address the standing requirements under CAN-SPAM. 

The plaintiff, James S. Gordon, operated a website through which he provided email addresses for himself and friends and family members.  He intentionally registered these email addresses with 100-150 email mailing lists.  After the addresses began receiving commercial email, Gordon filed suit against many of the companies, including Virtumundo, Inc., that had sent such email.

The CAN-SPAM Act is primarily enforced by the Federal Trade Commission and state Attorneys General.  However, the Act does provide a private right of action for a "provider of Internet access service adversely affected by a violation."  The Ninth Circuit held that Gordon failed to satisfy either prong of this standing requirement. 

In addressing the service provider prong of the standing requirement, the court noted that the CAN-SPAM Act does not limit standing to traditional Internet service providers and cited to two lower court decisions that held that the social networking services MySpace and Facebook qualified as "access services."  While explicitly declining the opportunity to set forth a general test as to what it means to be "a provider of Internet access service ," the court found that Gordon's service was limited to setting up email accounts and passwords and executing other administrative tasks, which was not enough to raise him to the level of Internet access service provider within the meaning of CAN-SPAM.  Gordon's online access was provide by Verizon, and GoDaddy provided the service that enabled Gordon to create the email addresses and the personalized web site; according to the court, both of these entities could have a compelling argument that they are Internet access service providers.

As for the second prong of the standing requirement, CAN-SPAM itself does not define "adversely affected."  The Ninth Circuit noted that "the harm must be both real and of the type experienced by ISPs."  Where there is suspicion that "a plaintiff is not operating a bona fide Internet access service," courts should take an especially close look at the cited harms.  The court found that Gordon had failed to argue that he had suffered any real harm as contemplated by the CAN-SPAM Act.  He did not have to hire additional personnel, nor did he experience the technical concerns or costs that may be attributed to commercial email.  Rather, the court found that Gordon intentionally sought out and benefited financially from the burdens of which he later complained and could not be considered "adversely affected."

Finally, the court also held that Gordon's state law claims regarding allegedly misrepresented email header information were preempted by CAN-SPAM.  The court held that Gordon's claim that the "from lines" of the emails failed to clearly identify Virtumundo as the sender, did not rise to the level of "falsity or deception," the only type of state law commercial email claim excepted from CAN-SPAM preemption.

Gordon's claims were therefore denied on three counts:  (1) he was not an Internet access service provider; (2) he was not adversely affected; and (3) his state law claims were preempted by CAN-SPAM.  Three strikes and this plaintiff is out.

Tags: , , ,