Tuesday, February 3, 2009

California Online Privacy Bill

California may soon toughen its online privacy laws. Introduced December 1, 2008, California Senate bill 20 amends privacy statues Sections 1798.29 and 1798.82 of the California Civil Code. The amendment, introduced by Senator Joe Simitian, requires notification to the California Attorney General’s Office when dealing with unencrypted data mishaps. http://www.leginfo.ca.gov/pub/09-10/bill/sen/sb_0001-0050/sb_20_bill_20081201_introduced.pdf

The legislation would affect the way firms store and send information over the web. Curiously, recent changes in the law in Nevada and Massachusetts may already have a bigger impact on Californians than their own state law.

According to Charlene Brownlee in her Privacy and Security Law blog: “Nevada has enacted the first data security law that mandates encryption for the transmission of customer personal information. (NRS 597.970)” Brownlee notes, “Companies operating nationally should consider whether their existing policies and procedures regarding transmission of customer personal information comply with this new law.”

In his published account, the Wall Street Journal’s Ben Worthen digs into the new email privacy and data security laws enacted in Nevada and Massachusetts this past year. Worthen draws insight from experts in the field:

“The new state data-security laws are stricter than past regulations, which only required businesses to notify people whose personal information they lost. The new laws establish a standard that can be used by plaintiffs in civil suits to argue that a business that lost data was negligent” -- Miriam Wugmeister, attorney with Morrison & Foerster LLP.”

"We do business in all 50 states so we're definitely reviewing it." -- Andrew Speirs, Information security officer for National Life Group, insurance based in Montpelier, Vt."It's a burden, but it's something you have to do." -- Karen Grant, Chief Privacy Officer for Boston Based Partners HealthCare System Inc., commenting on the $100,000 price tag for complying with the new law.

"Breach-notification laws deal with what happens after the horse leaves the barn. [The new regulation] is intended to prevent the horse from getting out of the barn in the first place." -- Daniel Crane, Undersecretary of the Massachusetts Office of Consumer Affairs and Business Regulation.

As for my own firm’s privacy solution, I’m told by Whittier Law Professor Denny Haythorn that “Lawyers should be breaking down your website to use it.” That solution can be viewed for free through the Los Angeles County Bar Association at https://sdx.lawdex.com/partners/lacba/ .