California's regime for cyber security, privacy and data protection has some useful lessons for Australia.
As the world becomes more integrated, a myriad of laws could now apply to you if you engage in global transactions. Over the past few months, we have looked at developments in privacy and cyber security law in Singapore, China and the EU and compared them to developing law in Australia. Finishing up our world tour, we turn to the US.
The privacy and data protection regime in the US is a patchwork of federal and state law and industry self-regulation. But the state of California has worked to position itself as a leading influence on cyber security regulation and practice. So here we will look in depth at cybersecurity in California and highlight key differences and trends that might have an influence on Australian law.
US framework at a glance
The US legal framework on privacy and cyber security comprises a variety of Federal and State laws as well as best-practice guidelines developed by government agencies and industry groups
The key federal law in this area is the Federal Trade Commission Act (FTC Act). This Act doesn't specifically regulate privacy or data security. Rather it prohibits unfair or deceptive practices for consumer protection. However, these prohibitions have been used as a basis for the FTC to take enforcement action against companies for failing to comply with posted privacy and security policies and for unauthorised disclosure of personal information. So, for example, when the Ashley Madison website experienced a massive data breach in 2014, the FTC took proceedings against Ashley Madison under section 5(a) the FTC Act for a number of contraventions, including for misrepresenting the steps taken to secure customer data.
At the Federal level there are also a variety of industry specific laws dealing with privacy and cyber security, which include:
- the Financial Services Modernization Act (also known as the Graham-Leach-Bliley Act or GLB Act): this Act regulates collection, use and disclosure of financial information. It applies to financial institutions including banks, securities firms and insurance companies along with other companies providing financial services and products. Primarily the GLB Act limits the disclosure of non-public personal information and in some cases requires providers to give notice of their privacy practices and an opportunity for individuals to opt out of having their information shared;
- the Health Insurance Portability and Accountability Act (HIPAA): this Act applies broadly to health care providers and related entities and regulates the collection and use of protected health information. It also requires covered entities to provide notice of a breach of protected health information; and
- the Children's Online Privacy Protection Act (COPPA) and the COPPA Rule: The COPPA Act is intended to increase parental control over information collected by children on line. Using powers granted by the Act, the FTC has created rules that apply to operators of commercial websites and online services (including mobile apps) that are directed at children under 13 and that collect, use or disclose personal information about those children. The Rule also applies to the operators of general audience websites or online services that have actual knowledge that they are collecting, using or disclosing personal information from children under 13. Operators covered by the COPPA Rule must post clear and comprehensive privacy policies, obtain verifiable parental consent before collecting personal information from children and maintain the confidentiality, security and integrity of information collected (among other things). These operators are also prohibited from disclosing children's information to third parties (except where integral to the site or service).
So there are similarities in the GLB and HIPAA Acts compared to (for example) the regulation of personal information and sensitive information in Australia under the Privacy Act 1988 (Cth) ‒ in particular the principles dealing with open and transparent management of information (APP1), notification of collection (APP 5) and use and disclosure (APP 6).
Unlike the Privacy Act, US laws don't expressly regulate commercial operators transferring information outside of US borders. However, the FTC and other regulators have stated that applicable US laws still apply to data after it leaves the US. So, the FTC considers that regulated US entities remain liable for data exported out of the US as well as handling and processing of data overseas by subcontractors
Data security under Californian law
In the absence of general federal laws regarding cyber security, States have had to make their own way, with California leading the charge. California was the first US State to enact a security breach notification law (California Civil Code 1798.82), which it has continued to update as technology has advanced.
The law requires any person or business that owns or licences unencrypted data containing personal information to disclose a security breach to all California residents whose personal information was (or is reasonably believed to have been) accessed by an unauthorised person. If the person or business giving the notification was the source of the breach it must also offer to provide the affected customer identity theft prevention and mitigation services at no cost for at least 12 months. A data breach notification must be given in the most expedient time possible.
Cyber security practices
In addition to notification of data breaches, Californian law specifically requires businesses to take steps to secure data (Civil Code 1798.81.5). This law requires businesses to use "reasonable security procedures and practices" to protect personal information from unauthorised access, destruction, use, modification or disclosure.
This section of the Civil Code doesn't define what "reasonable security procedures and practices" requires. However, the Californian Department of Justice has suggested that, at a minimum, this standard would require compliance with the 20 security controls specified by the Centre for Internet Security's "Critical Security Controls for Effective Cyber Defense". These are described as well prioritized, vetted and supported security actions which can be viewed as constituting a minimum level of security.
Other jurisdictions have followed California's lead with laws prescribing steps to avoid a security breach. For example Massachusetts has enacted regulations prescribing a list of technical, physical and administrative security protocols aimed at protecting personal information which companies must implement into their security architecture and policies (201 CMR 1700).
Security breach notice for critical infrastructure businesses
The California Legislature is currently reviewing a bill (Assembly Bill No. 1359) that would require "Critical Infrastructure Businesses" to give notice of security breaches. A Critical Infrastructure Business is an entity whose business relates to systems or assets (whether physical or virtual) that are so vital to the US that their incapacity or destruction would have a debilitating impact on security, economic security, public health or safety. In particular, the bill requires a Critical Infrastructure Business to give notice to the Californian Office of Emergency Services of any unauthorised electronic access to critical infrastructure controls or acquisition of critical infrastructure information.
California vs Australia ‒ how do they compare on cyber security, privacy and data protection?
There are a couple of key differences between the Californian regime and current Australian law.
Firstly, let's look at data breaches. Australia's new data breach law will come into force in February. It amends the Privacy Act to create a scheme for notification of "eligible data breaches", but the obligation to give a notice is only triggered if the disclosure is likely to result in serious harm. This is a more lenient approach than the Californian scheme which requires notification on acquisition (or a reasonable belief of acquisition) of unencrypted information by an unauthorised person. Arguably the Australian approach creates a perverse incentive for firms to determine that the risk of harm from a data breach doesn't reach the relevant level. The Californian scheme also requires businesses to provide identity theft mitigation at no extra cost to affected persons in certain cases. If the Australian legislature were minded to, this would be one way (other than penalties) to ensure Australian businesses have some skin in the game when it comes to securing customer data.
Another interesting difference relates to security procedures and practices. As noted above, Californian law requires "reasonable" security procedures and practices. This is similar to APP 11 which requires APP entities that hold personal information to take reasonable steps to protect that information from unauthorised access (among other things). However, the Californian requirement is now linked to procedures and practices developed by the Centre for Internet Security. By contrast the requirements under APP 11 are flexible depending on factors such as the entity's size and resources as well as the scope and type of the information held. By providing a minimum standard for compliance the Californian approach could help entities to understand their obligations, and enforcement agencies to administer them.
Finally, we noted that the FTC has used legislation that regulates misleading and deceptive conduct to take action against businesses that don't live up to their policies and public statements on privacy and cyber security. To date, the Australian Competition and Consumer Commission hasn't adopted the same stance in Australia. But, given prohibitions on misleading and deceptive conduct in the Australian Consumer Law 2010 (Cth), there is likely scope of the ACCC to pursue these types of actions against business that collect, hold and disclose consumer data.