As we head toward the Labor Day Weekend, it is a good time to point out a couple of noteworthy state level legislative developments in the Information Security and Privacy space.

California

On August 22nd the California State Assembly passed SB 914 which amends the California Penal Code to make clear that police must acquire a search warrant in order to search an individual’s cell phone or other portable electronic device incident to the arrest of that individual.

This legislation, which has been closely watched in California, is the reaction to a decision by the California Supreme Court in January, which found that police officers could lawfully search an arrested person’s cell phone without first obtaining a search warrant in accordance with an exception to the warrant requirement known as search incident to arrest.

In that case, People v. Diaz, 51 Cal.4th 84 (2011), the court majority analogized the contents of a person’s cell phone to the contents of a purse or briefcase in the possession of an arrestee. Such items, under the search incident doctrine, may be searched by police either at the scene of the arrest or later at the police station. The Diaz court further relied on the need to prevent destruction of evidence as a reason to allow a warrantless search. The new legislation rejects this rationale finding that “concerns about destruction of evidence on a cellular telephone can ordinarily be addressed through simple evidence preservation methods and prompt application … for a search warrant…”.

Consistent with what appears to be a growing consensus about the significance of cell phone information, the new legislation notes that: “The intrusion on the information privacy and freedom of communication of any person arrested is of such enormity that it must require arresting officers to obtain a warrant to search the information contained in or accessed through an arrested person’s portable electronic device.”

The bill, which previously passed the California Senate, will shortly be sent to the Governor for signature.

Illinois

Illinois has amended its breach notification statute to (1) require that breach notifications include certain minimum information; and (2) require that persons or entities (referred to as data collectors in Illinois), who possess, but do not own, the sensitive personal information of others, must “cooperate" with the owners of the information when there has been a data breach.

Information now required to be included in Illinois breach notifications includes: the toll free telephone numbers and addresses for state consumer reporting agencies, and the toll free telephone numbers, addresses and web addresses for the FTC.  Breach notifications must now also contain a specific statement advising the recepient that affected individuals my obtain information about fraud alerts and security freezes from these organizations.

In a somewhat puzzling twist, the statute also specifically forbids providing notification about the number of Illinois residents affected by the breach.

The duty placed on non-owners to cooperate with information owners requires a non-owner to (1) inform the data owner of a breach by at least advising him of the date or approximate dates of the breach; and (2) advising the owner of any steps that have been or are planned to be taken regarding the breach.

Lastly, Illinois has added a new statutory provision, applicable to all persons and entities, specifying minimum standards for the destruction or disposal of sensitive personal information, and penalizing the failure to do so. “A person must dispose of the materials containing personal information in a manner that renders the personal information unreadable, unusable, and undecipherable.” Violators are subject to fines of up to $100 for each person whose personal information has not been properly disposed (up to a total maximum of $50,000).