A growing number of state and federal laws require organizations to implement reasonable security safeguards to protect personal information. But what constitutes reasonable data security? This question has vexed organizations and spurred a considerable amount of litigation. On February 16, 2016, the California Attorney General’s Office released its 2016 Data Breach Report, which for the first time provides a listing of safeguards that the Attorney General views as constituting reasonable information security practices. Despite being focused on California, the Report’s recommendations are likely to have an impact far beyond the borders of the Golden State.
For the past several years, California’s Legislature has actively sought to regulate unmanned aerial systems, including, but not only, through privacy-related legislation.. In the 2014 session, one bill passed and was signed by Governor Brown. It bans the use of UAS to capture images or record voices of people without their permission, and is widely regarded as an anti-paparazzi law, aimed at protecting the many celebrities – and their children – in California’s entertainment industry. However, the wording of the bill more broadly protects individuals’ privacy from visual or audio recording in a manner that is “offensive to a reasonable person … under circumstances in which the [person] had a reasonable expectation of privacy” if the recording could not have been made without either trespassing or using special equipment. The bill is codified at California Civil Code section 1708.8. In the 2015 session, the California Legislature introduced five more bills, covering a range of issues.
Is data security legislation coming to a state near you? With data breaches continuing to make the headlines, 60 Minutes reporting that breaches are inevitable and federal legislation seeming unlikely, consumers and advocates may press state lawmakers to address data security. We have already seen state data breach notification laws proliferate following California’s enactment of the first such law in 2002. We may see data security laws spread in a similar fashion. In this post, we look at current and proposed state data security laws and consider their potential impact.
On January 1, 2014, California Assembly Bill 370 will go into effect, requiring operators of websites and other online services, including mobile applications, to provide new disclosures in their website privacy policies about online tracking.
California recently passed a law updating its breach notification requirements and making it the first state to expand the definition of personal information to expressly include login credentials for online accounts. Under the new law, companies would be required to notify individuals if and when their passwords, usernames, or security question and answers are compromised or stolen. The latest amendments become effective as of January 1, 2014.
On Wednesday, Harriet Pearson, a partner in Hogan Lovells’ Privacy and Information Management Practice, appeared on the Cyberlaw and Business Report Internet radio show to discuss newly enacted California privacy laws. This blog post contains a link to the interview and a downloadable podcast.
On August 26, the California legislature passed AB 370, which would require commercial websites and other online services such as mobile apps to include language in their privacy policies disclosing whether the service uses third-party vendors to track users across a network of other websites or online services, and how the users can opt out of such tracking using a centralized “do not track” signal or other mechanism. If signed by the governor, as expected, this bill would apply de facto to most websites and mobile apps by virtue of their accessibility in California, and would require revision of many privacy policies as a result.
On February 4, 2013 a sharply divided California Supreme Court held in Apple, Inc. v. Superior Court (Case No. S199384) (“Apple”) that the Song-Beverly Credit Card Act (the “Act”) does not apply to online purchases in which products are downloaded. The Act prohibits retailers from requesting or requiring consumers to provide personal identification information (“PII”) […]
James Denvil, an associate in our Washington office, contributed to this entry. This week, Washington lawmakers and California’s Attorney General focused their attention on mobile privacy. The Senate Judiciary Committee is considering a measure that would establish legal requirements for apps that collect or share location information from mobile devices. A Democratic congressman released for […]
On Tuesday, October 30, the California Attorney General Kamala Harris announced that her office has begun “formally notifying” mobile device application (“app”) operators that they are out of compliance with the notice provisions of the California Online Privacy Protection Act of 2003 (“CalOPPA”). The letters are a reminder that app developers and their partners should review their app data privacy and security practices and ensure that any apps collecting PII comply with the CalOPPA requirements, as well as other applicable Federal and state laws.
A new law that amends the California Confidentiality of Medical Information Act (CMIA) may provide some relief to HIPAA covered entities and business associates, some of whom have faced class action lawsuits seeking millions in statutory damages under the CMIA for large-scale data breaches. The changes to the CMIA are summarized in this entry.
California has become the latest state to pass a law prohibiting employers from requesting access to employees’ and job applicants’ social media information or accounts.
A new agreement this week between mobile app platform operators and the California Attorney General effectively creates enforceable, nationwide mobile app privacy standards that companies will need to follow going forward.
The California Attorney General recently launched an on-line form for businesses to report breaches of security, which is described in this entry.
A new amendment to California’s security breach notification statute establishes specific content requirements for data breach notifications and imposes a new Attorney General notification requirement for breaches affecting more than 500 California residents.
The U.S. Court of Appeals for the Ninth Circuit held on August 6, 2009 that standing for private plaintiffs under the CAN-SPAM Act is limited. Judge Richard Tallman, who authored the court’s opinion in Gordon v. Virtumundo, Inc., No. 07-35487 (Aug. 6, 2009, 9th Cir.), noted that this was the first case in which the […]