California

Last Tuesday, District Judge Lucy Koh of the Northern District of California partially granted the plaintiffs’ motion for class certification in In re Yahoo Mail Litig., allowing the plaintiffs to pursue their claims for injunctive relief on behalf of class members under the Stored Communications Act (“SCA”) and California’s Invasion of Privacy Act (“CIPA”).  The plaintiffs, none of whom has a Yahoo email account, originally filed suit alleging that Yahoo scanned emails they exchanged with other individuals’ Yahoo email addresses and used the results for advertising purposes.  Last August, Judge Koh partially granted Yahoo’s motion to dismiss, eliminating the plaintiff’s claims under the Wiretap Act and the California Constitution but allowing the SCA and CIPA claims to proceed.
Continue Reading Court Certifies Nationwide Class in Yahoo Email Scanning Litigation

This morning, the House Subcommittee on Commerce, Manufacturing, and Trade, chaired by Rep. Michael Burgess (R-TX), held a hearing to determine what elements should be included in federal data breach legislation.  Despite the momentum for legislation created by high-profile breaches at retailers like Target and Home Depot, and most recently at Sony, ongoing efforts in both the House and Senate to replace with a national standard the 47 currently existing state data breach laws so far have been unsuccessful.  This activity in the House is yet another attempt to enact a federal law governing data security, and today’s hearing made clear that many practical questions still remain for lawmakers to “get it right” on a data breach bill, as Rep. Fred Upton (R-MI) said.
Continue Reading House Debates Federal Data Breach Legislation

Many individuals are covered by health insurance but are not the policy holders for that coverage (e.g., the policy holder is a spouse or parent of the covered individual).  Routine communications sent by insurers, such as explanation of benefit letters or denial of claims notices, are often sent to the policy holder and may contain personal and sensitive information about a covered individual who is not the policy holder.  California’s Confidential Health Information Act, which became effective on January 1, 2015, is intended to provide greater privacy protection to individuals covered by health insurance where that individual is not the policy holder.
Continue Reading New California Health Privacy Law Goes into Effect

State legislators have recently passed a number of bills that impose new data security and privacy requirements on companies nationwide. The laws include new data breach notification requirements, marketing restrictions, and data destruction rules. Below is an overview of the new laws and amendments that will go into effect on January 1, 2015.
Continue Reading New State Privacy Laws Go Into Effect on Jan. 1, 2015

By Randall Friedland

California Attorney General Kamala D. Harris yesterday released the second annual California Data Breach Report.   The report provided statistics and analysis related to data breaches that were reported to the Attorney General’s office in 2013.  The report also outlined suggested best practices and provided recommendations on ways to improve data security.

Statistics

The report documented a clear upward trend in both the number of data breaches and those affected by such breaches.  For instance, in 2013, there were 167 data breaches reported in California, which is an increase of over 28 percent from the 131 data breaches reported in 2012.  Additionally, the records containing personal information of over 18.5 million California residents were compromised in 2013—a 600 percent increase from the previous year.  Even if the two largest data breaches involving retailers were excluded from this calculation, California still experienced a 35 percent increase in the number of records affected by data breaches. 
Continue Reading California Attorney General’s Second Annual Data Breach Report Finds Dramatic Increase in Number of Data Breaches

Yesterday, several big tech companies that offer educational and school services signed the “Student Privacy Pledge,” introduced by the Future of Privacy Forum (“FPF”) and The Software & Information Industry Association (“SIIA”) to safeguard student privacy as it relates to the collection, maintenance, and use of students’ personal information.  Among the fourteen education tech companies representing the initial group to join SIIA and FPF in introducing the Pledge are Microsoft, Amplify, and Houghton Mifflin Harcourt.  Notably, tech giants Google and Apple were absent from the list of signatories.  As part of the Pledge, effective January 1, 2015, participating companies agree to the following commitments:

  • Not to collect, maintain, use or share student personal information beyond that needed for authorized educational/school purposes, or as authorized by the parent/student
  • Not sell student personal information
  • Not to use or disclose student information collected through an educational/school service (whether personal information or otherwise) for behavioral targeting of ads to students
  • Not to build a personal profile of a student other than for supporting authorized educational/school purposes or as authorized by the parent/student
  • Not to make material changes to school service provider consumer privacy policies without first providing prominent notice to the account holder(s) (i.e., the educational institution, or the parent/student when the information is collected directly from the student with student/parent consent) and allowing them choices before data is used in any manner inconsistent with terms they were initially provided; and not to make material changes to other policies or practices governing the use of student personal information that are inconsistent with contractual requirements
  • Not knowingly retain student personal information beyond the time period required to support the authorized educational/school purposes, or as authorized by the parent/student
  • Collect, use, share, and retain student personal information only for purposes for which companies are authorized by the educational institution, teacher, or the parent/student
  • Disclose clearly in contracts or privacy policies, including in a manner easy for parents to understand, what types of student personal information is collected and the purposes for which the information maintained is used or shared with third parties
  • Support access to and correction of students’ personally identifiable information by the student or their authorized parent, either by assisting the educational institution in meeting its requirements, or directly, when the information is collected from the student with student/parent consent
  • Maintain a comprehensive security program reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information against risks – such as unauthorized access or use, or unintended or inappropriate disclosure – through the use of administrative, technological, and physical safeguards appropriate to the sensitivity of the information
  • Require that vendors with whom students’ personal information is shared in order to deliver the educational service are obligated to implement these same commitments
  • Allow a successor entity to maintain the students’ personal information, in the case of a merger or acquisition, provided the successor is subject to these same commitments for previously collected student personal information

Continue Reading Microsoft and Other Leading K-12 School-Service Providers Pledge To Protect Student-Data Privacy

Continuing our coverage of the flurry of bills signed into law by California Governor Jerry Brown last week, we turn now to AB 1710, an amendment to California’s data breach legislation. The data breach amendment makes three notable changes to existing laws regarding personal information privacy:

1.  Requires Companies that Maintain Personal Information to Implement and Maintain Reasonable Security Procedures and Practices.

California’s existing data breach law requires companies that own or license personal information to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information . . . .” Under existing law, the terms “own” and “license” include personal information retained as a part of a business’s internal customer accounts or for the purpose of using the information in transactions.

AB 1710 extends this requirement to companies that merely “maintain” personal information about Californians. The bill defines maintain information in the negative, as information that a business does not own or license.

For purposes of implementing and maintaining reasonable security procedures and practices, California defines “personal information” as an individual’s first name (or first initial) and her last name in combination with her social security number, driver’s license or California ID number, any medical information, or a financial account number (such as a credit or debit card number) and the associated access code. Cal. Civ. Code § 1798.81.5(d)(1).
Continue Reading California Amends Data Breach Legislation

Last week, California enacted bills SB 1177 and AB 1584, strengthening student privacy protections in the State.

SB 1177 prohibits operators of online sites or mobile apps who know that their services are used primarily for K-12 school purposes and whose services designed and marketed as such (“operators”) from using K-12 student data in four specific ways. First, SB 1177 prohibits operators from engaging in targeted advertising on any website or mobile app (including their own) if the advertising would be based on any information obtained from the operations of its K-12 online site or mobile app. Second, SB 1177 prohibits operators from using information obtained from the operations of the K-12 online site or mobile app to create a “profile” about a K-12 student, unless the profile is created in furtherance of K-12 school purposes. Third, operators are prohibited from selling a student’s information. And, fourth, SB 1177 prohibits operators from disclosing personally identifiable information, unless certain special circumstances exist, such as responding to or participating in judicial process.

In addition to the four prohibitions listed above, SB 1177 places two affirmative requirements on operators. The bill requires that operators “[i]mplement and maintain reasonable security procedures and practices” appropriate to the information protected, and to specifically protect the information from “unauthorized access, destruction, use, modification, or disclosure.” In addition, SB 1177 requires operators to delete personally identifiable information regarding a K-12 student upon request by a school or school district.

AB 1584 addresses the access and use of K-12 student data by third party vendors. AB 1584 explicitly permits local educational agencies to enter into contracts with third parties to provide online services relating to management of pupil records or to otherwise access, store, and use pupil records in the course of performing contractual obligations.
Continue Reading California Strengthens Student Privacy Protections

On Tuesday, September 30th, California Governor Jerry Brown signed into law 8 bills his office says were designed to “strengthen privacy [ ] protections.”

Among the bills is AB 2306, which prevents the attempt to capture an image or sound recording in an offensive manner through the use of
Continue Reading Calif. Gov. Brown Signs 8 Bills to Strengthen Privacy Protections

Last week, the U.S. Court of Appeals for the Ninth Circuit affirmed lower-court dismissals of two lawsuits under California’s “Shine the Light” law.  Shine the Light (or “STL”) requires businesses that disclose customers’ personal information to third parties for those parties’ direct marketing purposes to respond to customer requests for

Continue Reading Appeals Court Affirms Dismissal of “Shine the Light” Suits