Even as Congress continues to debate passing a unified federal data breach notification law, California continues to be at the forefront of data privacy regulation. Here, we briefly discuss two California privacy bills to watch during the latter half of 2015.
1.  Data Breach Response - Identity Theft Insurance

California Bill AB 259 seeks to amend Section 1798.29 of the Civil Code (relating to information privacy). The bill applies specifically to "agencies" and would require that agencies that are the source of a data breach involving "a person's social security number, driver's license number, or California identification card number" to "offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed personal information[.]"

As used in the Information Practices Act of 1977 to which this bill would apply, "agency" is defined as:

 (b) The term "agency" means every state office, officer, department, division, bureau, board, commission, or other state agency, except that the term agency shall not include:
   (1) The California Legislature.
   (2) Any agency established under Article VI of the California Constitution.
   (3) The State Compensation Insurance Fund, except as to any records which contain personal information about the employees of the State Compensation Insurance Fund.
   (4) A local agency, as defined in subdivision (a) of Section 6252 of the Government Code.

This is an interesting proposal by Assembly Member Dababneh because the issue of whether identity theft monitoring services are actually helpful in data breach events has received mixed reviews. At the same time, with the use of "if any" (emphasized above), the bill does not appear to actually require that agencies offer "identity theft prevention and mitigation services", merely that if they are offered, that they be offered for at least 12 months and at no cost to an affected individual.

2. Geolocation Legislation

California Bill AB 83 introduced by Assembly Member Gatto seeks to amend Section 1798.81.5 of the Civil Code (relating to personal data). The bill seeks to amend the existing statute to expand the list of personal information that businesses must protect to expressly include "geophysical location information" defined to mean "any personally identifiable information describing or concerning the duration of a transportation service provided to an individual, the location and route of a transportation service provided to an individual, or, if applicable, the monetary exchange associated with a transportation service provided to an individual." The bill also seeks to amend the "reasonable security procedures and practices" that companies must take with the proposed final revision to read:
(f) For purposes of this section, "reasonable security procedures and practices" as they pertain to the storage and transmission of personal information  shall require, at a minimum, the security of that information to the degree that any reasonably prudent business would provide. All of the following shall also apply: 
  
   (1) At a minimum, the business shall:     

(A) Identify reasonably foreseeable internal and external risks to the privacy and security of personal information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of the information. 
(B) Establish, implement, and maintain safeguards reasonably designed to ensure the security of the personal information,including, but not limited to, protecting against unauthorized loss, misuse, alteration, destruction, access to, or use of the information.
(C) Regularly assess the sufficiency of any safeguards in place to control reasonably foreseeable internal and external risks, and evaluate and adjust those safeguards in light of the assessment.
(D) Evaluate and adjust any material changes in the operations or business arrangements of the business, or any other circumstances, that create a material impact on the privacy or security of personal information under control of the business. 
   (2) The reasonableness of the security procedures and practices shall be determined in light of all of the following:
(A) The degree of the privacy risk associated with the personal information under the business's control.
(B) The foreseeability of threats to the security of the information. 
(C) The existence of widely accepted practices in administrative, technical, and physical safeguards for protecting personal information. 
(D) The cost of implementing and regularly reviewing the safeguards.
The definition for geophysical location information appears to be directly targeted to the ride sharing services that are growing in popularity in the new 'sharing economy.' But, it may be narrow given the amount of other devices and companies that are collecting geophysical location information. For example, ArsTechnica recently reported on a case out of California where an employee alleges that she was fired for deleting an app that tracked her location information 24 hours a day. (But see also California Bill SB 576, which "would require the operator of a mobile application to provide clear and conspicuous notice that fully informs consumers when, how, and why their geolocation information, as defined, will be collected, used, and shared upon installation of the application. The bill would require the operator of a mobile application to obtain consent before collecting or using geolocation information and to obtain separate consent before disclosing that information.")

For those working in the healthcare space, the new language in Bill AB 83 for "
reasonable security procedures and practices" should be very reminiscent of HIPAA requirements and particular the the Risk Analysis process. The new language is also similar to the requirements that have been set out by the Federal Trade Commission through its regulation by litigation (or enforcement) process. This bill would, in effect, expand these requirements to all industries operating in California. While businesses may not be pleased about this level of detail, at the same time, for those businesses that are not sure about their obligations, Bill AB 83 would clarify the requirements (and will likely increase litigation).




Posted by Tatiana Melnik on June 8, 2015