Earlier this month, the California Chamber of Commerce hosted a timely panel discussion on data security policy at both the federal and state levels.
The panel was moderated by Jeanne Cain, CalChamber executive vice president of public policy. Also featured were CalChamber Policy Advocate Jeremy Merz, Bradley Hayes from the U.S. Chamber of Commerce and Lorinda Harris, a privacy attorney with DLA Piper.
The panel focused on a number of privacy legislative trends, including data breach notification, cyber threat information sharing amongst businesses and the government, data security and drones.
This panel discussion came on the heels of an active year for the California Legislature in the privacy arena. At the beginning of the year, Assembly Speaker Toni Atkins (D-San Diego) created the Committee on Privacy and Consumer Protection to focus on the high volume of privacy bills that were introduced.
The CalChamber successfully opposed a number of bills that would have upset the balance between consumer privacy and consumer demand for innovation and services. CalChamber also supported two bills, including one that was signed by the Governor.
As large data breaches continued to occupy headlines, the Legislature introduced a number of bills on this topic and CalChamber positioned on three of these bills.
• CalChamber initially opposed SB 570 (Jackson; D-Santa Barbara), which would have unnecessarily created new litigation exposure on employers for insufficient breach notices. Specifically, this bill would have mandated a specific form for breach notifications.
With 47 states each having different breach notification laws, using this California-only form would have created significant compliance issues and expenses. CalChamber worked with the author’s office to remove the mandate on use of the form. CalChamber also agreed to minor changes to current law that will make the notices more consumer-friendly. With these amendments, CalChamber removed its opposition and the bill was signed by the Governor.
• CalChamber also initially opposed AB 964 (Chau; D-Monterey Park), which would have created an arbitrary 30-day deadline for businesses to notify consumers of personal information breaches.
Current law already mandates that consumers are notified “in the most expedient time possible, and without unreasonable delay.” This allows for businesses and law enforcement to conduct complete investigations of suspected breaches in order to fully inform consumers while still providing timely notifications.
The 30-day deadline would have resulted in premature, incomplete or unnecessary notifications being sent out before an investigation was completed. The bill was amended to remove the deadline and, as a result, CalChamber removed opposition. This bill was signed by the Governor.
• Finally, CalChamber supported AB 259 (Dababneh; D-Encino), which requires government entities that maintain personal information to provide identification theft prevention and mitigation services to consumers when breaches occur.
Businesses already have these requirements under current law. The government suffers security breaches just as the private sector does and CalChamber has maintained that laws governing data breach requirements should be the same for both the public and private sectors. Unfortunately, this bill was held in the Senate Appropriations Committee.
CalChamber took an oppose unless amended position on AB 83 (Gatto; D-Glendale), which expands liability for protecting information that does not present a threat of fraud or identity theft to consumers.
AB 83 is a significant data security bill that further defines businesses’ data security requirements; and expands the definition of personally identifiable information (PII).
Conceptually, CalChamber did not oppose the new definition for data security requirements. It did, however, oppose expanding the PII definition, currently limited to information that could allow identity theft and financial fraud or reveal health information.
Each expansion of this definition requires significant costs and resources, and brings litigation risk associated with protecting the new information and providing notices if it is breached. Accordingly, expansion of the PII definition should be limited to personal information whose misuse would be harmful to consumers and each additional personal information element should be defined precisely.
CalChamber worked with the author’s office throughout the year to find a viable solution to the expansion of the PII definition. AB 83 was turned into a two-year bill and CalChamber continues to work with the author’s office over the interim.
User Consent/Information Disclosure
CalChamber opposed SB 576 (Leno; D-San Francisco), which would have stifled innovation and growth in the mobile application economy by mandating unnecessary, redundant and impractical notice and consent requirements that would have left many current and future mobile applications unusable. CalChamber labeled this bill a job killer and it was not heard in the legislative policy committee.
CalChamber supported SB 178 (Leno; D-San Francisco), which modernizes digital surveillance laws and, in doing so, provides clarity to businesses regarding when and how the government can access electronically stored consumer information.
Current laws govern when businesses must turn over consumer information to the government—this generally requires a warrant. These laws, however, did not apply to electronically stored information, leaving businesses unclear about how to respond to government information requests. SB 178 provided this clarity and was signed into law by the Governor.
The proliferation of drones for commercial use and by hobbyists prompted the Legislature to introduce a number of bills on the topic. The CalChamber opposed one of these bills that affected commercial drone operation.
SB 142 (Jackson; D-Santa Barbara) would have expanded liability for the wrongful occupation of real property to include operating a drone below 350 feet without the property owner’s permission. This would have stymied commercial drone innovation in California before the Federal Aviation Administration finished its rulemaking process and developed national regulations on drone operation.
Ultimately, the Governor vetoed this bill.