Privacy and Security Law Blog

Posted by Randy Gainer

State and federal laws encourage businesses to encrypt consumers’ computerized personal information. Most state data breach notice laws do not require businesses to notify their customers when customers’ digital personal information has been stolen or lost if the information was encrypted. The Federal Trade Commission encourages but does not mandate that consumers’ personal data be encrypted. See Protecting Personal Information, A Guide for Businesses

Nevada enacted a statute that goes further and affirmatively requires businesses to encrypt certain consumer data. Washington and Michigan are currently considering legislation that would also require consumer data to be encrypted. The Nevada statute and the pending Washington and Michigan bills contain different encryption requirements. Of the various measures, the proposed Michigan bill and the Washington Senate bill would most effectively protect consumer data if they are enacted.

By Charlene Brownlee

California extended its data breach notification law to include incidents involving electronic medical and health insurance information. California's data breach law, SB 1386, had previously covered only financial records. The new law, AB 1298 took effect January 8, 2008. The law adds medical and health-related information to the existing breach notification law definition of "personal information" and expands the application of the Confidentiality of Medical Information Act (CMIA) to include any business organized for the purpose of maintaining medical information.

Posted by Charlene Brownlee

Significance of the Law

Nevada has enacted the first data security law that mandates encryption for the transmission of customer personal information. ( NRS 597.970) The law goes into effect on October 1, 2008. While there are several laws that direct organizations in certain industries to consider using encryption and laws that make encryption a factor in decisions regarding breach notifications, no law required the encryption of personal information prior to this Nevada law.

Posted by Charlene Brownlee

California Governor Arnold Schwarzenegger vetoed AB 779 -- legislation that would have amended California's data security breach legislation to impose stronger data protection requirements than the Payment Card Industry Data Security Standard

AB 779 would have prohibited businesses that sell goods or services to any resident of California and that accept as payment credit cards (and debit cards or other payment devices) from, among other things, storing, retaining, sending, or failing to limit access to payment-related data, and from storing sensitive authentication data subsequent to an authorization, unless a specified exception applied. Further, the bill would have made such businesses liable to the owner or licensee of the information for the reimbursement of costs of: (i) providing notice to consumers as required by existing data breach notification law; and (ii) card replacement as a result of the breach.

Posted by Thomas Jeffry

The clash between privacy advocates and those companies who make millions of dollars collecting and selling data about pharmaceutical prescription patterns was perhaps inevitable. When the State of New Hampshire passed the Prescription Confidentiality Act last year, leading health information brokers were quick to challenge the law which prohibited prescription information records which contain identifiable data about a patient or prescriber from being transferred, licensed, sold, or used for most commercial purposes. The Act specifically precluded the use of prescriber-identifiable data for "physician detailing" used by pharmaceutical companies to track the prescribing-habits of physicians in order to target individual sales pitches to such physicians.

 Posted by Randy Gainer

As of May 25, 2007, one state has adopted and five are considering important new data breach laws. The laws will require businesses that fail to implement adequate security to pay some of the costs that others incur if the first business’s failure to implement security measures contributes to the theft of consumers’ personal information. Although the state laws are not uniform, they each address the failure of current federal and state data security statutes to permit businesses to recover such costs. The laws also respond to court decisions that refused to shift costs to businesses whose security contributed to data thefts.

By Rory Eastburg

On April 5, 2007, a unanimous state Supreme Court ruled that California’s litigation privilege extends to claims based on the state’s constitutional right to privacy.  While conceding that the statutory privilege would have to yield to the constitutional privacy right if the two conflicted, the court concluded that “the statutory and constitutional provisions are not in conflict; they can and do coexist.”

Posted by Bruce E.H. Johnson

My LA partners Kelli Sager and Al Wickers have written about a new California decision, which has significant implications for everyone — including especially unsuspecting souls who never intend to set foot in the state but happen to have a telephone and a recording device. 

California's privacy laws, which have criminal penalties, can be applied to out-of-state individuals and businesses.

Posted by Peerapong Tantamjarik

An article today in the Jackson (MS) Clarion-Ledger reported that the state of Mississippi would receive a federal contract to implement the Health Information Security and Privacy Collaboration (HISPC).  HISPC is a national effort consisting of a multi-disciplinary team of experts and the National Governor's Association (NGA). The HISPC's goal is to work with approximately 40 states or territorial governments to assess and develop plans to address variations in organization-level business policies and state laws that affect privacy and security practices which may pose challenges to interoperable health information exchange. 

Posted by Bruce Johnson

Pennsylvania has recently enacted a data breach disclosure law (S.B. 712, available here), another statute modeled on the original 2002 California law. Pennsylvania's law, which was signed by Governor Rendell on December 22, 2005, makes it the 22nd state to enact such legislation.