California

Subscribe to California via RSS

ThinkstockPhotos-516780641-webOn September 17, 2015, California Attorney General Kamala Harris announced a $33 million settlement with Comcast Corp. to resolve an investigation into Comcast’s publishing of phone numbers that consumers had paid the company not to publish.1 Notably, the settlement is the largest privacy settlement on record to date, surpassing the recent $25 million settlement the Federal Communications Commission (FCC) obtained from AT&T in April 2015.2 The action is also notable for which agency brought it and which agencies did not participate—this was a California state action and not an FCC or Federal Trade Commission (FTC) enforcement proceeding. The FTC has been the leading privacy enforcer over the last twenty years, and the FCC has spent the last two years nipping at the FTC’s heels on privacy enforcement. So, why did the two leading federal privacy regulators apparently sit on the sidelines for the largest privacy settlement on record? This article examines that question and posits some theories on why the other agencies may not have proceeded. Regardless of whether federal regulators decided to act in this case, the Comcast settlement with California offers a stark reminder for companies that failing to protect consumer privacy or misleading consumers about privacy protections can land you in expensive hot water on a wide variety of regulatory fronts.
Continue Reading Comcast Enters into Largest Privacy Settlement on Record with California Attorney General

Prompted by data breaches affecting large retailers in the United States, the California legislature recently passed Assembly Bill 1710 (A.B. 1710) to update the state’s breach notification law to require breached entities to provide free credit monitoring services to affected individuals following certain types of data breaches. This change, effective January 1, 2015, was recommended by the California Attorney General’s Office in its 2013 Data Breach Report. The Attorney General’s Office recently published its 2014 Data Breach Report, and its recommendations provide insight into the office’s enforcement priorities. The recommendations may also find their way into California law.
Continue Reading California Amends Data Breach Notification Law and State Attorney General’s Data Breach Report May Lead to More Changes

ThinkstockPhotos-488600674-webIn keeping with its position as the nation’s leader on privacy issues, the state of California recently enacted significant new laws on student privacy and education data. The Student Online Personal Information Protection Act (SOPIPA) sets forth a variety of restrictions on how operators of online services offered in schools can use and disclose student information, and requires operators to implement reasonable security measures to protect student data. A separate law (A.B. 1584) sets forth privacy requirements for providers of digital storage services and educational software used in schools. A final law (A.B. 1442) establishes privacy requirements for companies that collect students’ social media information on behalf of schools. The laws were signed by Governor Jerry Brown on September 29, 2014.
Continue Reading California Enacts Landmark Student Privacy Laws

A proposed California law, the Consumer Data Breach Protection Act (A.B. 1710),1 has the potential to upend the calculus of determining liability after retail data breaches, create additional data security requirements for retailers and other consumer-facing businesses operating in California, and establish new standards for data breach reporting for breaches affecting California residents. The bill, introduced by California State Assemblymen Bob Wieckowski and Roger Dickinson in February 2014 and currently pending before the California Assembly Committee on the Judiciary, may in part represent an effort to respond to the recent data breaches affecting Target Corp. and Neiman Marcus Ltd., and aims to strengthen one of the most prescriptive state statutes already in existence.

The heightened concern over data privacy in recent months might enable the passage of the bill, which is a variation of past bills that were vetoed by former Governor Arnold Schwarzenegger.2 If passed, A.B. 1710 would place California alongside Washington, Minnesota, and Nevada as the states mandating particular data security provisions with respect to payment card data,3 and would increase the data breach reporting requirements and liability associated with breaches for entities doing business in California.
Continue Reading Proposed California Law Would Impose Data Breach Liability on Retailers and Create More Stringent Data Security Requirements for Businesses

Kaiser Foundation Health Plan, Inc. (Kaiser) recently agreed to settle charges brought by California Attorney General Kamala Harris alleging that Kaiser, a component of Kaiser Permanente, the largest health maintenance organization in the U.S., violated California’s unfair competition law by taking too long to notify more than 20,000 current and former employees that their personal information had been compromised.1 The case and its settlement may have significant implications for businesses that suffer data security incidents requiring notification to affected persons.
Continue Reading Kaiser Foundation Health Plan Settles California Attorney General Charges over Delayed Data Breach Notification

California, which enacted the pioneering security breach notification law in 2002, again has taken the lead in security breach notification legislation. In an effort to protect consumers against unauthorized access to their online accounts, California has extended its security breach notification law to cover individuals’ online account credentials (i.e., a user name or email address, in combination with a password or security question and answer, that would permit access to an online account) in amendments that will take effect on January 1, 2014.1 This article discusses California’s existing security breach notification obligations, as well as the changes provided for in these amendments.
Continue Reading California Extends Security Breach Notification Requirements to Online Account Credentials