Privacy law has traditionally focused on an individual’s right to privacy vis-à-vis a government’s physical intrusion. Privacy law, however, has morphed in recent years to address concerns of the digital age, including data breaches.
A data breach is an incident in which sensitive, protected, or confidential data has been potentially viewed, stolen, or used by an individual unauthorized to do so. In the last several years, we have seen significant data breaches concerning Sony, Target, Ashley Madison, Anthem, Home Depot, Hilton Hotels, and many other companies. As the number of data breaches increases, so does the cost for the affected companies. Reuters reported that the average cost to a company for a data breach in 2015 was $3.8 million, with upper ranges exceeding $150 million.
Compliance with data privacy laws can be a daunting and complicated undertaking given the various layers of law in both the U.S. (at the state and federal level), and abroad, as these laws are generally not harmonized.
The following will provide important updates to California State Law as well as European Union laws in connection with data privacy.
California’s data breach notification laws require businesses to notify California residents whose unencryptedpersonal information was acquired, or reasonably believed to have been acquired, by an unauthorized person. Accordingly, the data breach notification requirement does not apply if the data is “encrypted”. Previously undefined, recent changes to the data breach notification laws now provide the definition of “encrypted” as “rendered unusable, unreadable or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security”. Thus, companies must pay greater attention to how personal information is secured and evaluate their existing encrypting systems to ensure compliance with industry-standard technology.
In addition, the recent changes to the data breach notification laws in California have expanded upon the statutory definition of “personal information”. The statutory definition of “personal information” now includes license plate numbers obtained from an automated license plate recognition system in combination with an individual’s first name or first initial and last name, when either the name or the data elements are not encrypted. Other examples of items included in the statutory definition of “personal information,” are a user name or email address, in combination with a password or security question and answer that would permit access to an online account.
The recent changes also set forth a model template for data breach notifications. In sum, the data breach notification must be written in plain language in at least 10-point font, be titled “Notice of Data Breach,” and use the following headings: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.”
Beginning in 2000, the European Commission and the United States Department of Commerce agreed to provide a “Safe Harbor” framework for U.S. companies to ensure necessary protection of European individuals’ personal data transferred from the EU to U.S. The Safe Harbor allowed U.S. companies to self-certify a commitment to protect personal data in accordance with European requirements. However, on October 6, 2015, the Court of Justice of the EU invalidated the Safe Harbor in Maximillian Schrems v. Data Protection Commissioner. The invalidation of the Safe Harbor was effective immediately.
The Safe Harbor was only one of a number of approved methods by which personal data can be legally transferred from the EU to the U.S. Therefore, if your U.S. business relied on the Safe Harbor for the transfer of European individuals’ personal data from the EU to the U.S., or if your business uses third-party service providers who relied on the Safe Harbor, you need to explore using a substitute legal basis that currently justifies the transfer of such data as soon as possible. For example, U.S. businesses may enter into data transfer agreements with the EU’s “Standard Contractual Clauses.”
As data privacy law evolves in the U.S. and abroad, the implications will resonate globally in this digital age.