State Watch: CDA Amendments, Cal Right to Know and Data Breach, Delta Victory and Social Media Privacy

State Attorney Generals to Push for Limitation on CDA Immunity

Section 230 of the Communications Decency Act provides immunity to websites for third party content on the site. It has stymied state efforts to regulate online solicitation, which has led some state attorney generals to push for an amendmnet to the CDA to exempt state criminal laws. Santa Clara law professor and CLBR guest Eric Goldman, condemned the proposal asserting it would encourage further state regulation which often is provincial in nature.

The amendment would unleash hordes of provincial headline-seeking prosecutors using countless broadly worded and possibly antiquated laws to go after Internet companies outside their states. It’s easy to see how this massive expansion of prosecutorial activity could undercut the legal reliability and certainty that Section 230 currently provides .

California Right to Know Bill Stalls

California Assemblywoman Bonnie Lowenthal (D-Long Beach)’s Right to Know consumer privacy bill is on hold following an intense lobbying campaign by the tech industry. Lowenthal may revisit the issue in January.

Lowenthal’s bill, A.B. 1291, provides that

This bill would instead require any business that has retains a customer’s personal information, as defined, or discloses that information to a 3rd party, to provide at no charge, within 30 days of the customer’s specified request, a copy of that information to the customer as well as the names and contact information for all 3rd parties with which the business has shared the information during the previous 12 months, regardless of any business relationship with the customer. This bill would require that a business subject to these provisions choose one of several specified options to provide the customer with a designated address for use in making a request for copies of information under these provisions.

The coalition opposing the Lowenthal’s bill’s letter to California legislators is below:

View this document on Scribd

Cal AG Harris Releases First Data Breach Report

While California has required data breach notification since 2003 (the first state in the country to do so), it did not require that notification also be sent to the Attorney General until 2012. Attorney General Kamala Harris has released a report based on the 2012 notifications impacting 25 million Californians finding that

companies should encrypt digital personal information when moving or sending it out of their secure network. In 2012, encryption would have prevented reporting companies and agencies from putting over 1.4 million Californians at risk;
companies should review and tighten their security controls on personal information, including training employees and contractors; and
companies should make the breach notices they send easier to read since the average reading level of the notices submitted in 2012 was 14th grade, much higher than the average U.S. reading level of 8th grade.

Additional key findings of the report include:

The average (mean) breach incident involved the information of 22,500 individuals. The median breach size was 2,500 affected individuals, with five breaches of 100,000 or more individuals’ personal information.
The retail industry reported the most data breaches in 2012: 34 (26 percent of the total reported breaches), followed by finance and insurance with 30 (23 percent).
More than half of the breaches (56 percent) involved Social Security numbers, which pose the greatest risk of the most serious types of identity theft.
More than half of the breaches (55 percent) were the result of intentional intrusions by outsiders or by unauthorized insiders. The other 45 percent were largely the result of failures to adopt or carry out appropriate security measures.

Attorney General Harris established the Privacy Enforcement and Protection Unit in 2012 to enforce federal and state privacy laws regulating the collection, retention, disclosure, and destruction of private or sensitive information by individuals, organizations, and the government. This includes California’s Online Privacy Protection Act, as well as laws relating to cyber privacy, health and financial privacy, identity theft, government records and data breaches.

In October 2012, Attorney General Harris announced a settlement with Anthem Blue Cross over allegations the company breached its members’ personal data by failing to protect their Social Security Numbers.

Delta Wins Dismissal of CA Privacy Lawsuit

Last fall, California Attorney General Kamala Harris sent warnings to Delta Airlines, OpenTable, United and dozens of other mobile application developers and companies warning letters to post a privacy policy informing users of what personal information they were collecting and what would be done with it. Harris took the position that California’s Online Privacy Protection Act that required websites collecting personally identifiable information to post a website, applied to mobile apps. Liability under CalOPPA attached only if a site failed to respond within thirty (30) days of receiving a notice of non-compliance. Surprisingly, Delta did not respond and Harris initiated suit against the airline.

Delta won dismissal of the lawsuit on the grounds that it was preempted by Airline Deregulation Act, which prohibits states from restricting any prices, routes or services of an air carrier.

Delta Dodges Calif. Privacy Suit Over Smartphone App, Law360; Nevada Becomes 11th State to Enact Social Media Password Protection Legislation, SHRM; Why The State Attorneys General’s Assault On Internet Immunity Is A Terrible Idea, Forbes

Nevada 11th State to Pass Social Media Privacy Law

Nevada became the eleventh state to pass legislation restricting employers’ ability to demand that employees provide their password(s) for social media states. The eleven states are Arkansas, California, Colorado, Illinois, Maryland, Michigan, Nevada, New Mexico, Oregon, Utah and Washington.