Proposed Florida Advisory Opinion Would Allow Attorneys to Advise Clients to Clean Up Social Media before Litigation Starts

Posted on February 3, 2015 by Joseph F. Rich No Comments ↓

On January 23, 2015, the Professional Ethics Committee of the Florida Bar issued Proposed Advisory Opinion 14-1, in which the Committee found that “a lawyer may advise the client pre-litigation to remove information from a social media page, regardless of its relevance to a reasonably foreseeable proceeding.”  However, the Committee explained that this can be done “as long as the removal does not violate any substantive law regarding preservation and/or spoliation of evidence.”  The Committee recognized that New York and other states have also found that lawyers may advise their clients to remove (or modify) information from social media as long as there is no duty to preserve it and no spoliation of evidence.

Moreover, the Proposed Advisory Opinion stated that if a lawyer chooses to counsel his or her client pre-litigation to remove information from social media, “an appropriate record of the social media information or data must be preserved if the information or data is known by the lawyer or reasonably should be known by the lawyer to be relevant to the reasonably foreseeable proceeding.”  The Committee’s Proposed Advisory Opinion did recognize that “What information on a social media page is relevant to reasonably foreseeable litigation is a factual question that must be determined on a case-by-case basis.” 

The Committee’s Proposed Advisory Opinion also noted that the Committee was “aware of cases addressing the issue of discovery or spoliation relating to social media.”  The Committee’s Proposed Advisory Opinion cited cases from Virginia, New Jersey, and New York, with the first case cited being Allied Concrete v. Lester, 736 S.E. 2d 699 (Va. 2013), in which a lawyer was sanctioned $542,000 and the client sanctioned $180,000 for spoliation arising out of photographs being deleted from the client’s social media account. 

If you would like to read the full text of Proposed Advisory Opinion 14-1, it can be found here.

Posted in Discovery, Litigation, Social Media

If You Post It, Your Opponent Can Probably Discover It

Posted on January 29, 2015 by Matthew Siegel No Comments ↓

Earlier this week, our friends at the Property Insurance Law Observer wrote an article about a recent decision involving discovery of pictures posted to a plaintiff’s Facebook page.  The court found that the plaintiff had a lower expectation of privacy in information posted on social media, even where the plaintiff had taken steps to limit access to her pictures to only those considered to be her closest “friends.”  You can read Dick Bennett’s article here or keep reading below.  It is a cautionary tale in an age where online exposure to an individual’s private life is increasing every day and should serve as a reminder to litigants not to overlook social media when drafting discovery requests.

Property Insurance Law Observer  — If You Post It, Your Opponent Can Probably Discover It

In March we ran a post on how important videos, photographs, and statements on social media sites can be when investigating a property loss.  A picture is literally worth a thousand words.  Earlier this month, a Florida court explained that such material is also discoverable – even in situations where the policyholder employs privacy settings that prevent the general public from having access to his or her account – because the user’s privacy interest in such a site is “minimal, if any.”…Read More 

Posted in Discovery, Litigation, Privacy, Social Media

Time to Get Rid of Those Post-it Notes with All Your Passwords!!!

Posted on January 23, 2015 by Matthew Siegel No Comments ↓

Cozen O’Connor’s Health Law Informer recently ran a timely piece that should be of interest to everyone.  The article describes a new law signed by New Jersey Governor Chris Christie requiring health insurance carriers to encrypt or otherwise secure computerized records of personal information. You can see the piece written by Ryan Blaney and J. Nicole Martin here, and of course, stay tuned to both the Health Law Informer and the Cyber Law Monitor for continuing updates on cybersecurity and data breach standards throughout the country.

Posted in Data Breach, Data Security, Privacy

A New Kind of Architecture: The President’s New Agenda on Cybersecurity

Posted on January 23, 2015 by Joseph F. Rich, Leigh Ann Benson
No Comments ↓

“[I]f we don’t put in place the kind of architecture that can prevent these attacks from taking place, this is not just going to be affecting movies, this is going to be affecting our entire economy in ways that are extraordinarily significant.”

 – President Obama, December 19, 2014

If you watched President Obama’s State of the Union Address on January 20, you know that passing comprehensive cybersecurity legislation will be a central focus during his final two years in office. The President actually previewed his core legislative proposals in this area about a week before the nationwide address, to lay the groundwork for his cybersecurity agenda.

The administration is advocating passage of two primary pieces of legislation: one aims to allow more information sharing between private companies and government agencies about cyber threats and the other lays out new federal notification requirements in the wake of cybersecurity breaches. Much debate is yet to be had, and there is no way of knowing what provisions will be included in final bills. But President Obama is intent on leaving his mark as an architect of cybersecurity law in the digital age.

Cybersecurity Information Sharing Legislation

The first proposal has the stated purpose of codifying mechanisms for information sharing between private entities and the government about cybersecurity and specific cyber threats. An administration press release stated: “The proposal encourages the private sector to share appropriate cyber threat information with the Department of Homeland Security . . .  which will then share it in as close to real-time as practicable with relevant federal agencies and with private sector-developed and operated Information Sharing and Analysis Organizations (ISAOs) by providing targeted liability protection for companies that share information with these entities.”

One of the key aspects of this proposed legislation is that it would allow authorized private entities to disclose “lawfully obtained” cyber threat indicators to both ISAOs and the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC), as long as their purpose is to protect information, identify or mitigate threats, or report a crime. Private entities would have to use reasonable efforts to minimize use of personal identifiers or information that is unrelated to threats. At the moment, the waters are somewhat murky as to whether private entities can or should share such information.   

In addition to making it legal for the first time for private entities to share cybersecurity information with the federal government under certain conditions, the proposal also contains guidelines for limiting liability, FOIA protections, and requirements for privacy protections.

Personal Data Notification & Protection Act

The second proposal addresses notice requirements to individuals affected by security breaches involving “sensitive personally identifiable information.” According to the White House, “The Administration’s updated proposal helps business and consumers by simplifying and standardizing the existing patchwork of 46 state laws (plus the District of Columbia and several territories) that contain these requirements into one federal statute, and puts in place a single clear and timely notice requirement to ensure that companies notify their employees and customers about security breaches.” 

The proposal would require covered business entities to provide reasonable notice to those affected by a breach in 30 days or less. Like many similar state laws, the proposal addresses the content and methods of notice, as well as different requirements depending on the scope of persons affected. There are additional notice requirements to credit reporting agencies and law enforcement, and the proposal explains that the Federal Trade Commission (FTC) will supervise compliance. 

While the President clearly sees the need for a federal notification system, it is not clear how the states will respond to the idea of federal preemption in this area. In particular, some states may take exception to the idea that the FTC will be in charge of notification enforcement. Of course, state attorneys general can also enforce the proposed terms, if there is reason to believe that residents have been threatened or will be adversely affected by noncompliance.   

In addition to the proposed legislative changes, the White House will hold a Summit on Cybersecurity and Consumer Protection at Stanford University on February 13th. Attendees will include leaders in financial services, technology and communications, computer security, and law enforcement. They will be asked to share information and help shape public and private sector efforts to protect American consumers and companies from growing threats to digital networks. 

If you would like to read the proposals in detail, they are available here and here.  The White House Press Release commenting on the proposals is available here.

Posted in Legislation, Standards

Two New Laws Give DHS Increased Cybersecurity Authority

Posted on December 29, 2014 by Matthew Siegel, Kathryn A. Young
No Comments ↓

Two recently enacted laws give the Department of Homeland Security (DHS) increased authority and ability to contain cybersecurity threats and breaches.  Congress passed both the Federal Information Security Modernization Act and the DHS Cybersecurity Authority Act on December 10, 2014.  President Obama signed them both in a marathon bill-signing session on the 18th, during which he signed fifty-one other bills. 

           

 

             Federal Information Security Modernization Act

            The Federal Information Security Modernization Act (FISMA) is an update to the Federal Information Security Management Act, first passed in 2002.  The modern version gives greater operational authority to DHS and enacts strict incident reporting requirements on government agencies.  The bill allows the Director of the Office of Management and Budget (OMB) to issue “principles, standards, and guidelines” to agencies regarding information security.  For day-to-day matters, the Secretary of DHS now has the ability to enact “binding operational directives” for individual agencies, to get them in compliance with the OMB guidelines.   The 2002 bill left the oversight to each agency’s head, but this update bestows a supervisory power on the DHS Secretary to ensure that guidelines are met. 

            The bill also changes the reporting requirements of cybersecurity breaches and incidents for federal agencies.  Under FISMA, the DHS Secretary is in charge of the Federal Information Security Incident Center, which collects data and helps agencies respond to information security threats. In addition to an annual report, each agency must report major incidents or security breaches within thirty days to Congress.  The bill provides that the OMB Director should define what a “major incident” entails. 

            Tom Carper (D-Del.), who first introduced the bill, explained the need for it in 2013:

Federal agencies need to fully implement meaningful security programs that can withstand the serious cyber challenges we face today and will face for the foreseeable future … Given the growing cyber threats that America faces, I am now more determined than ever to put in place a comprehensive cyber policy to protect our nation, its people, its critical infrastructure, and its economy.

             The bill can be found in its entirety here.

            DHS Cybersecurity Authority Act

            While FISMA increased DHS’s authority to control cybersecurity breaches,  another bill passed by both houses this month increased its ability to do so.  The DHS Cybersecurity Authority Act, as part of the Border Patrol Agent Pay Reform Act of 2014, was passed to improve recruiting, hiring, and retaining cybersecurity experts in DHS.  It provides the DHS Secretary the authority to establish qualified positions for such experts and to set the experts’ rates of pay, including additional compensation like benefits.  The bill will “improve [DHS’s] authority to compete with the private sector and other agencies to hire and retain the people it needs to combat the cyber threats our country faces,” according to Sen. Carper, who introduced this bill as well. The entire text of the bill can be found here.

            Both bills were sent to President Obama on December 10th, and he signed both on the 18th.  These measures coincide with the President’s public commitment to increased cybersecurity measures. 

 

Posted in Data Security, Legislation

Data Breach Plaintiff Given Second Chance to Certify Class Action Suit

Posted on December 24, 2014 by Matthew Siegel, Alexa Sebia
No Comments ↓

Recently, the Pennsylvania Superior Court ruled in favor of data breach plaintiff Avrum Baum, giving him a second chance to certify a class action suit against Keystone Mercy Health Plan.  Baum brought suit against the insurer and its affiliate, AmeriHealth Mercy Health Plan, after it misplaced an unencrypted flash drive containing the personal health records of more than 200,000 subscribers.  Baum contends that Keystone Mercy violated the privacy rights of these subscribers, including his daughter, when electronically stored names, addresses, dates of birth, Social Security numbers, and clinical and health screening information were lost.

Keystone Mercy’s Chief Compliance and Privacy Officer discovered that the flash drive was missing in September of 2010.  As a result of the breach, the insurer offered credit monitoring services to 808 individuals whose partial or complete Social Security numbers were maintained on the drive.  They also provided notice of the missing data to the Pennsylvania Department of Public Welfare and the Federal Department of Health and Human Services Office of Civil Rights.

After lodging allegations that Keystone Mercy violated the catchall provision of Pennsylvania’s Unfair Trade Practices and Consumer Protection Law (“UTPCPL”), Baum filed a motion with the Philadelphia Court of Common Pleas for class action certification.  His complaint characterized the potential class as all subscribers whose personal health records or other confidential or private information was compromised through Keystone Mercy’s improper handling of the flash drive.  The trial court conducted a hearing and, on July 25, 2013, entered an order denying the motion.  Baum subsequently appealed. 

The UTPCPL allows any private, individual purchaser who suffers ascertainable monetary or property loss as a result of an unlawful act to recover actual damages.  This consumer protection law seeks to prevent unfair competition and deceptive conduct in trade or commerce and, according to the Supreme Court of Pennsylvania, should be construed liberally in order to “effect its legislative goal.”  See Fazio v. Guardian Life Ins. Co. of Am., 62 A.3d 396, 405 (Pa. Super. 2013). 

Historically, UTPCPL plaintiffs were required to show justifiable reliance on a defendant’s wrongful conduct and subsequent harm suffered as a result of that reliance.  Yocca v. Pittsburgh Steelers Sports, Inc., 854 A.2d 425, 438 (Pa. 2004).  In this way, the trial court concluded, class treatment of Baum’s allegations sounding in fraud were inappropriate. 

The Superior Court, however, held that plaintiffs pursuing claims under the UTPCPL’s catchall provision do not need to show reliance, citing to Grimes v. Enterprise Leasing Co. of Phila., LLC, 66 A.3d 330, 337 n.4 (Pa. Super. 2013); Bennett v. A.T. Masterpiece Homes at Broadsprings, LLC, 40 A.3d 145, 152 n.5 (Pa. Super. 2012).  The court explained that the provision defines unfair methods of competition and business practices as “fraudulent or deceptive conduct” which creates confusion or misunderstanding.  In this way, justifiable reliance is not necessary to recover damages where a complaint alleges deceptive conduct.  Therefore, because Baum’s complaint specifically alleged both fraudulent and deceptive conduct on the part of Keystone Mercy, the trial court’s denial of the motion to certify his claim as a class action was improper.   

The Superior Court three-judge panel remanded Baum’s case to the trial court for further consideration of the conditions required for class action certification.  Whether the class will be certified remains to be seen, but the Superior Court’s holding may provide another avenue for data breach plaintiffs to have their day in court.

Posted in Data Breach

Cybersecurity…At Least There Is One Thing Congress Can Agree On

Posted on December 16, 2014 by Thomas A. Leonard No Comments ↓

While most political observers were focused last week on the debates surrounding passage of the so-called “Cromnibus” spending bill, less noted was the fact that the U.S. Congress managed to pass a number of cyber-security bills in a rare moment of bipartisanship and cooperation between the House of Representatives and the Senate. 

One bill, the Cybersecurity Workforce Assessment Act, was passed in the House by voice vote on Thursday. Originally introduced by Rep. Patrick Meehan (R-PA), the bill directs “the Secretary of Homeland Security to assess the cybersecurity workforce of the Department of Homeland Security (“DHS”) and develop a comprehensive workforce strategy.” Specifically, the Secretary must identify key positions related to cybersecurity and create a strategy for enhancing the readiness, capacity, training, recruitment, and retention of cybersecurity personnel within the DHS. The strategy must include a five-year implementation plan and a ten-year projection of the cybersecurity workforce needs of the DHS. 

The final bill is slightly less demanding than the original. Whereas Congressman Meehan wanted the Secretary of Homeland Security to report to Congress every two years on the status of cybersecurity, the final version includes a mandate to report every three years. The original bill also would have required the Secretary to seek advice from academics and other private-sector analysts on the proper methods for ensuring cybersecurity, whereas the final bill only requires input from within the Department of Homeland Security. 

Another cybersecurity measure passed last week was the Intelligence Authorization Act. The primary purpose of this bill is to appropriate funds to the various intelligence agencies, but a number of cybersecurity-related provisions were included. For instance, Congress directed the Director of National Intelligence to conduct a study on the feasibility of “consolidating classified databases of cyber threat indicators and malware samples in the intelligence community.” This study will include an inventory of classified databases of cyber threat indicators and any impediments to consolidation. Congress also asked the Director to examine how to retain cybersecurity specialists within the intelligence community. 

Even though the Intelligence Authorization Act had broad, bipartisan support, its passage was not without difficulty. Just before it was put to a vote, the Senate quietly inserted an amendment dealing with “procedures for the retention of incidentally acquired communications.” The amendment, section 309 of the Act, requires authorities in the intelligence community to adopt procedures for disposing of private communications that were obtained without a warrant, subpoena, or similar legal device. The bill places a five-year limitation on the retention of such communications, unless they are determined to be necessary for national security purposes, criminal investigations, or are from people not protected by the Foreign Intelligence Surveillance Act. 

The House originally intended to pass the Senate version with a voice vote.  At the last minute, however, the staff of Rep. Justin Amash (R-MI) noticed the new Senate provision. Congressman Amash rushed to the House floor and demanded a recorded vote. He urged his colleagues to vote against the measure, arguing that the amendment would allow the intelligence community to transfer private communications obtained without a warrant to domestic law enforcement for criminal investigations.  Supporters responded that the new measure would actually restrict warrantless data collection. The bill passed the House on a 325-100 vote.

Posted in Legislation

The FCC Asserts its Role as Regulator of Data Security

Posted on November 26, 2014 by Matthew Siegel, Stephen Kempa
No Comments ↓

The FCC recently signaled its intention to move aggressively into the realm of data security regulation. On October 24, 2014, the agency released a Notice of Apparent Liability for Forfeiture (NAL), ordering two telecommunication companies to pay a combined $10 million forfeiture for failing to secure consumer’s personal information. This is the first time the FCC has attempted to regulate data security. After a decade of increasing FTC regulation in this area, companies must now prepare for FCC enforcement action as well.

The FCC’s recent action came after it was discovered that the two companies, TerraCom Inc. and YourTelAmerica Inc., had made 305,000 clients’ sensitive data available to the public. Data included Social Security numbers, scans of passports, and driver’s license information.

TerraCom and YourTel, jointly owned companies, participate in Lifeline, a federal program that provides subsidized phone service for low-income consumers. Both companies collect identifiable information, such as names, addresses, birthdates, and Social Security numbers, in order for consumers to prove that they qualify to participate. The companies collected this information and contracted with a third party to host and store it.

In April 2013, an investigative reporter notified the companies that there were holes in the security measures undertaken to protect the personal information provided by low-income applicants to the program. In fact, between March 24, 2013 and April 26, 2013, the reporter was able to access and download 128,066 proprietary records, which were available on public websites and located through a simple Google search. The Enforcement Bureau of the FCC independently confirmed that at least two applications containing personal information were openly available through search engines as late as June 30, 2014. Evidence also showed that a number of IP addresses from foreign countries, including Russia and China, accessed the data.

The FCC is pursuing an enforcement action by relying on a decades-old statute, Section 503(b)(1) of the Communications Act of 1934, which allows forfeiture penalties against any person who willfully or repeatedly fails to comply with any provision of the Act or any rule, regulation, or order from the Commission. The FCC specifically alleges four violations under sections 222(a) and 201(b) of the statute:

  • Under section 222(a), the companies failed to protect the confidentiality of proprietary information that consumers provided for eligibility consideration. The agency claims that the security measures put in place lacked even the most basic features that would protect consumers’ proprietary information.
  • The FCC alleges that the companies violated section 201(b) by not employing reasonable data security practices to protect consumers’ proprietary information. According to the NAL, the companies stored the information in clear, readable text that was accessible to anyone using simple search techniques, creating “an unreasonable risk of unauthorized access.”
  • Further, the FCC maintains that TerraCom and YourTel violated section 201(b) by representing in their policies that they protected customers’ proprietary information. The federal agency asserted that the representations made in privacy policies were false, deceptive, and misleading.
  • Lastly, the FCC contends that the companies engaged in unjust and unreasonable practice by failing to notify all customers whose proprietary information was likely breached. According to the NAL, TerraCom and YourTel only notified 35,129 of the more than 300,000 persons whose personal information was exposed. The FCC argued that notifying “anything less than all potentially affected customers” of the exposure was unjust and unreasonable.

Statements by the FCC Commissioners suggest that this may be the start of continued involvement by the agency in this area of regulation. The chairman of the Commission, Tom Wheeler, stated that the FCC, as the expert agency on communications networks, “cannot – and will not – stand idly by when a service provider’s lax data security practices expose the personal information of hundreds of thousands.” Another commissioner agreed, arguing that “[t]he Commission has a clear role to ensure that providers protect sensitive information.”

The NAL, however, was not unanimously agreed upon: two commissioners issued dissenting statements. Commissioner Ajit Pai focused on the lack of notice given to companies, pointing out that the Commission has never interpreted the Communications Act to impose an enforceable duty on carriers to employ data security practices to protect personal identity information. He argued that in this enforcement action the “Commission asserts that these companies violated novel legal interpretations and never-adopted rules.” The other dissenting voice, Commissioner Michael O’Rielly, made similar arguments regarding fair notice, and also asserted that the Communications Act “was never intended to address the security of data on the Internet.”

Some commentators have noted that the FCC may have decided to take action after a number of failed attempts by Congress to address the issue. In the last decade, the FTC has also moved into the realm of data security regulation, relying on its authority to police unfair and deceptive trade practices. While settlements in those cases are common, a few companies have recently challenged the agency’s allegations. Those companies have asserted that Section 5 of the Federal Trade Commission Act does not give the FTC the power to set data security standards for private companies and, even if it did, the regulatory agency had failed to give fair notice. These arguments echo the points raised by the dissenting commissions on the FCC, who may foresee a future judicial challenge to the agency’s recent actions.

While the companies have 30 days from the date of notice to seek a reduction in the fine, this action should serve as a warning sign for companies throughout the country regarding the need to assess and reevaluate practices regarding data protection. There is clear momentum behind increasing federal regulation of data security.

The full text of the NAL can be accessed here.

Posted in Data Security, Privacy, Regulations

California Health Care Providers Successfully Ward Off Data Breach Lawsuits

Posted on November 11, 2014 by Matthew Siegel, Alexa Sebia
No Comments ↓

In a pair of recent cases, two California health care providers successfully warded off lawsuits arising from unauthorized data breaches of patient files.  These cases illustrate that improper disclosure of electronically stored personal information is an increasing concern for the health care industry.  They also highlight judicial reluctance, at least in California, to impose damages on health care providers where security breaches cause minimal or no actual harm to plaintiffs.

Both cases were brought under the California Confidentiality of Medical Information Act (CMIA) which prohibits health care providers from disclosing medical information about patients without authorization.  The Act further requires every provider who creates, maintains, preserves, or destroys medical information to do so in a manner that “preserves the confidentiality of the information contained therein.”  In addition to other remedies available at law, CMIA plaintiffs may seek nominal damages of $1000 from individuals or entities who negligently release confidential information in violation of the Act. 

On October 15, 2014, the Supreme Court of California declined to hear an appeal of a lower court’s ruling that Sutter Health was not liable for $4 billion in damages following a data breach.  The case arose after a thief broke in to Sutter Health’s Sacramento office and stole a desktop computer containing the medical records of more than four million patients.  The computer’s hard drive was password-protected but not encrypted.  Plaintiffs filed a class action suit alleging that although there was no evidence that the thief accessed the medical records on the hard drive, Sutter Health nevertheless violated Sections 56.10 and 56.101 of the CMIA because of the “potential misuses of personal medical information.”  In response, Sutter Health filed a demurrer arguing that the complaint failed to state a cause of action absent allegations that any unauthorized persons viewed the stolen data.  

California’s Third District Court of Appeals ultimately sided with Sutter Health and dismissed the class action suit.  It held that Section 56.10’s prohibition on improper disclosure of medical data was not triggered because it implied an affirmative communicative act on the part of the provider rather than an unauthorized theft.  Thus, because the computer was stolen by, and not given to, the thief, the court concluded that there was no impermissible disclosure under the Section.  Conversely, the court held that Section 56.101’s imposition of confidentiality on health care providers did apply.  It emphasized, however, that the Section was not violated because confidentiality was not breached.  The court reasoned that the Act allowed for a change in physical possession of paper or electronically stored data as long as the confidentiality of the information itself was preserved.  In other words, the court concluded, the CMIA did not impose liability where Sutter Health simply lost possession of the medical records and the thief did not access the confidential files. 

A California appellate court reached a similar conclusion following a data breach in March of 2011 when a computer was stolen from Eisenhower Medical Center in Rancho Mirage, California.  The computer contained an index of over 500,000 patients’ names, medical record numbers, ages, dates of birth, and Social Security numbers.  The electronic index was password-protected but not encrypted.  The defendant health care provider moved for summary judgment.  Eisenhower Medical claimed that although the theft resulted in the release of “individually identifiable information,” there was no medical data contained within the stolen index.  In this way, it argued that the CMIA required impermissible disclosure of patient “medical history, mental or physical conditions, or treatment” in order to impose liability.  In response, plaintiffs alleged that the mere fact that individuals were identified by name as patients of the provider amounted to a release of medical history.

The court agreed with Eisenhower Medical, emphasizing that under Section 56.05 of CMIA, “medical information” is “individually identifiable information . . . regarding a patient’s medical history, mental or physical condition, or treatment.”  The court emphasized the plain meaning of the Act and concluded that it did not encompass demographic or numeric data absent a history of treatment, diagnosis, or care.  The mere fact that a person was a patient of the provider at some time, the court concluded, was insufficient to impose liability under CMIA.

These cases illustrate the difficulty for patients to successfully sue California health care facilities following data breaches.  Nonetheless, the risk to providers remains.  Plaintiffs who can prove that electronic medical information was improperly disclosed or actually viewed may succeed in collecting large sums from health care providers.  The cases also suggest that providers should be diligent in storing and safeguarding electronic patient files and data.

Posted in Data Breach, Privacy

California Enacts New Data Privacy Legislation

Posted on November 03, 2014 by Matthew Siegel, Michael O'Donnell
No Comments ↓

California is once again initiating significant changes to protect informational privacy in the digital world. Governor Jerry Brown recently signed several pieces of legislation in an attempt to protect individuals against invasions of privacy connected with personal data collection. California’s new legislation will regulate the collection and use of student data and amend the privacy requirements for businesses who collect personal data.

Over the last ten years, California has passed numerous laws protecting personal data.  As recently as 2013, California enacted two laws addressing digital privacy: one regarding how websites respond to citizens who ask the site not to monitor their personal behavioral information and the other relating to the ability for minors under the age of 18 to erase portions of their social media accounts.  These laws were the first of their kind in the country and, together with the newly passed legislation, have earned California a reputation for being one of, if not the, most prominent states guarding its citizens’ data privacy.

Student Online Personal Information Protection Act (SOPIPA)

As technology becomes more central to student educational experience, the issue of protecting student personal data becomes more challenging. California’s SOPIPA attempts to balance the benefits of increased technology in education with concerns over abuse and misuse of personal information. SOPIPA makes significant changes to the way personal information of students in grades K-12 can be collected, stored, and used.

Websites, apps, and online services play a significant role in the modern classroom but many of these educational services require, or allow, for student grades, disciplinary history, and other personal information to be stored and analyzed by service providers. These providers often use student data to create new services and products that can be offered to K-12 students. SOPIPA protects student information in two significant ways: 1) operators providing K-12 services may not compile, share, or disclose student information for any reason other than those related to K-12 purposes, and 2) operators may not use student information for targeted advertising or marketing to K-12 students, their parents, or their families.

Notably, the law does carve out an exception for service providers to store anonymous student data to be used solely for the development and maintenance of its own educational products. In essence, the law tries to ensure that student information only be used for school-related purposes.

The full text of Senate Bill 1177 (SOPIPA) can be found HERE.

Amendments Protecting Personal Information and Identity

Recent amendments to California’s data breach notification requirement places new burdens on companies that suffer a breach in their electronic data security system. Previously, California law required only those persons or businesses who owned or licensed personal data to give notice to citizens when their system was breached. Under the new amendments, any business who maintains computerized data about a California resident must implement “reasonable security procedures,” and if breached they must notify any resident whose information was compromised.

Another major change requires that “[i]f the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months.”

Commentators have given considerable attention to the words “if any” found in this provision.  Some are concerned that these words may be interpreted to mean that only businesses who previously provided identity theft prevention and mitigation services will be required to continue those services after a data breach. This ambiguity may be left for the judiciary to resolve.

Lastly, the amendments also address how a California resident’s social security number may be used by other people and businesses. Prior to the amendment, a person or entity was prohibited from posting or displaying a citizen’s social security number or doing any act that may compromise the security of an individual’s social security number. Now, in addition to these prohibitions, a social security number may not be sold, offered for sale, or advertised for sale by any person or business. This provision strengthens the protections afforded to California citizens and clearly attempts to restrain the opportunity for identity theft.

The full text of Assembly Bill 1710 can be found HERE.

Posted in Data Security, Legislation, Privacy
About Cyber Law Monitor
In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.
Subscribe For Updates

cyberlawmonitor

Cozen O’Connor Blogs