California enacts more sweeping data privacy laws

[Inga Goddijn <inga () riskbasedsecurity com>]

http://www.lexology.com/library/detail.aspx?g=4e373744-24d2-481d-a9ba-331b97b2e6ff

Perennially leading the country — and challenging companies to keep up —
California has, for the third time in three years, enacted several new data
laws, including a groundbreaking digital privacy law and amendments to its
data breach notification statute that expands the classes of data protected
under the law, provides new standards for data encryption and establishes a
template of breach notifications, among other changes. The new laws take
effect on Jan. 1, 2016.

At the top of the list is the Electronic Communications Privacy Act, which
gives Californians the strongest digital privacy rights in the U.S. by
restricting how the government accesses digital information (including any
metadata or digital communications — such as emails, texts, digital content
and documents stored in the cloud), requiring law enforcement to obtain a
search warrant or wiretap order before accessing private communications and
location data stored on smartphones, tablets and other digital devices.
Five other states have warrant protection for content, and nine others have
warrant protection for GPS location tracking, but California is the first
to enact a comprehensive law protecting location data, content, metadata
and device searches. While the new warrant requirements do not have an
immediate impact on nonpublic entities, they will have downstream effect,
as companies that operate in California will have to re-evaluate their
procedures for responding to data requests from law enforcement.

California’s data breach notification law has also been modified through a
number of separate bills amending the existing law — already one of the
nation’s most onerous. California law already requires companies that own
or license data, including the personal information of California
residents, to report data security breaches — generally the exposure of
unencrypted data. One of the new amendments attempts to clarify an existing
safe harbor for encrypted data by adding a definition of “encrypted
information” as information “rendered unusable, unreadable, or
indecipherable to an unauthorized person through a security technology or
methodology generally accepted in the field of information security.”
Although the bill is intended to encourage encryption and clarify what
constitutes acceptable encryption, the definition is worrisomely opaque.
And because it requires that encryption be accomplished in a way that is
“generally accepted in the field of technology,” companies must pay greater
attention to how they secure personal data, and must evaluate their
existing encryption system (if they have one) and implement
industry-standard technology.

Another bill amends the state’s data privacy laws by adding to the
definition of protected “personal information,” which has been expanded to
include “a username or email address in combination with a password or
security question and answer that would permit access to an online
account.” The new law expands the reach of potential liability to
information that doesn’t directly expose an individual user’s identity but
may allow unauthorized access to private online accounts.

Yet another bill, SB 570, establishes a prescribed template for data breach
notifications. The bill sets forth requirements for notifications,
including that they are written in plain language, in a minimum font size,
titled “Notice of Data Breach” and contain specific information organized
under clearly and conspicuously displayed headings including “What
Happened,” “What Information Was Involved,” “What We Are Doing,” “What You
Can Do” and “For More Information.” The bill provides a model form for
companies to use when a data breach occurs that triggers the notification
requirements, and includes requirements as to the delivery method for the
notice.

Finally, California Gov. Jerry Brown signed into law a bill requiring that
smart-TV makers ensure voice-recognition features can’t be enabled without
consumers’ consent, and barring makers from using recorded conversations
for advertisement purposes. The legislation does not provide a private
right of action, but empowers the state attorney general or a district
attorney to prosecute manufacturers, as well as retailers, resellers,
importers and any other entities that knowingly violate the law, and
carries a civil penalty of up to $2,500 per violation.

In all, these amendments add to the complexity of state-level data privacy
compliance. Companies operating in California (even if not based in the
state) should be aware of the state’s evolving definition of “personal
information” and consult with counsel to ensure that their privacy and data
security policies meet California’s expanded requirements.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!