California Bill Would Create Cyber Security Commission

By Christin McMeley and Jane Whang

In recognition of the increasing threat that cyber-attacks pose to the state's infrastructure and the considerable costs that government and private sectors are estimated to spend on cyber security (more than $70 billion estimated to be spent in 2014 nationally), Assembly Speaker John Perez has introduced a bill to establish a "Cyber Security Commission."

The bill (AB 2200), if passed, would authorize the proposed commission to develop public-private partnerships to share cyber security and cyber threat information and to improve cyber security and cyber response strategies. The commission is required to meet monthly and submit quarterly reports to the Governor's Office and Legislature on the status and progress of cyber security efforts.

Continue Reading...

Some State Data Encryption Requirements More Effective than Others

Posted by Randy Gainer

State and federal laws encourage businesses to encrypt consumers’ computerized personal information. Most state data breach notice laws do not require businesses to notify their customers when customers’ digital personal information has been stolen or lost if the information was encrypted. The Federal Trade Commission encourages but does not mandate that consumers’ personal data be encrypted. See Protecting Personal Information, A Guide for Businesses

Nevada enacted a statute that goes further and affirmatively requires businesses to encrypt certain consumer data. Washington and Michigan are currently considering legislation that would also require consumer data to be encrypted. The Nevada statute and the pending Washington and Michigan bills contain different encryption requirements. Of the various measures, the proposed Michigan bill and the Washington Senate bill would most effectively protect consumer data if they are enacted.

Continue Reading...

California Breach Disclosure Law Now Covers Medical Records

By Charlene Brownlee

California extended its data breach notification law to include incidents involving electronic medical and health insurance information. California's data breach law, SB 1386, had previously covered only financial records. The new law, AB 1298 took effect January 8, 2008. The law adds medical and health-related information to the existing breach notification law definition of "personal information" and expands the application of the Confidentiality of Medical Information Act (CMIA) to include any business organized for the purpose of maintaining medical information.
 

Continue Reading...

Nevada passes first law requiring business to encrypt customer personal information during transmission

Posted by Charlene Brownlee

Significance of the Law

Nevada has enacted the first data security law that mandates encryption for the transmission of customer personal information. ( NRS 597.970) The law goes into effect on October 1, 2008. While there are several laws that direct organizations in certain industries to consider using encryption and laws that make encryption a factor in decisions regarding breach notifications, no law required the encryption of personal information prior to this Nevada law.

Continue Reading...

California Governor Vetoes Proposed Law Imposing Stronger Data Protection Requirements

Posted by Charlene Brownlee

California Governor Arnold Schwarzenegger vetoed AB 779 -- legislation that would have amended California's data security breach legislation to impose stronger data protection requirements than the Payment Card Industry Data Security Standard

AB 779 would have prohibited businesses that sell goods or services to any resident of California and that accept as payment credit cards (and debit cards or other payment devices) from, among other things, storing, retaining, sending, or failing to limit access to payment-related data, and from storing sensitive authentication data subsequent to an authorization, unless a specified exception applied. Further, the bill would have made such businesses liable to the owner or licensee of the information for the reimbursement of costs of: (i) providing notice to consumers as required by existing data breach notification law; and (ii) card replacement as a result of the breach.

Continue Reading...

So When Did Protecting Privacy Become Unconstitutional?

Posted by Thomas Jeffry

The clash between privacy advocates and those companies who make millions of dollars collecting and selling data about pharmaceutical prescription patterns was perhaps inevitable. When the State of New Hampshire passed the Prescription Confidentiality Act last year, leading health information brokers were quick to challenge the law which prohibited prescription information records which contain identifiable data about a patient or prescriber from being transferred, licensed, sold, or used for most commercial purposes. The Act specifically precluded the use of prescriber-identifiable data for "physician detailing" used by pharmaceutical companies to track the prescribing-habits of physicians in order to target individual sales pitches to such physicians.

Continue Reading...

State Laws to Shift Some Data Breach Costs to Businesses with Weak Security

 Posted by Randy Gainer

As of May 25, 2007, one state has adopted and five are considering important new data breach laws. The laws will require businesses that fail to implement adequate security to pay some of the costs that others incur if the first business’s failure to implement security measures contributes to the theft of consumers’ personal information. Although the state laws are not uniform, they each address the failure of current federal and state data security statutes to permit businesses to recover such costs. The laws also respond to court decisions that refused to shift costs to businesses whose security contributed to data thefts.

Continue Reading...

California's Constitutional Right to Privacy is Limited by Statutory Litigation Privilege

By Rory Eastburg

On April 5, 2007, a unanimous state Supreme Court ruled that California’s litigation privilege extends to claims based on the state’s constitutional right to privacy.  While conceding that the statutory privilege would have to yield to the constitutional privacy right if the two conflicted, the court concluded that “the statutory and constitutional provisions are not in conflict; they can and do coexist.”

Continue Reading...

California Extends Privacy Protections to Everywhere: If you Call a Californian, Don't Tape Without Permission

Posted by Bruce E.H. Johnson

My LA partners Kelli Sager and Al Wickers have written about a new California decision, which has significant implications for everyone — including especially unsuspecting souls who never intend to set foot in the state but happen to have a telephone and a recording device. 

California's privacy laws, which have criminal penalties, can be applied to out-of-state individuals and businesses.

Continue Reading...

Federal Contract Granted to Address Privacy and Security of Electronic Health Records

Posted by Peerapong Tantamjarik

An article today in the Jackson (MS) Clarion-Ledger reported that the state of Mississippi would receive a federal contract to implement the Health Information Security and Privacy Collaboration (HISPC).  HISPC is a national effort consisting of a multi-disciplinary team of experts and the National Governor's Association (NGA). The HISPC's goal is to work with approximately 40 states or territorial governments to assess and develop plans to address variations in organization-level business policies and state laws that affect privacy and security practices which may pose challenges to interoperable health information exchange. 

Continue Reading...

Pennsylvania Becomes 22nd State to Enact a Data Breach Disclosure Law

Posted by Bruce Johnson

Pennsylvania has recently enacted a data breach disclosure law (S.B. 712, available here), another statute modeled on the original 2002 California law. Pennsylvania's law, which was signed by Governor Rendell on December 22, 2005, makes it the 22nd state to enact such legislation.

Continue Reading...