Reed Smith attorneys Amy Mushahwar and Joshua Marker, of the firm’s Data Security, Privacy & Management practice, interviewed Travis LeBlanc, California’s Special Assistant Attorney General for Technology. Mr. LeBlanc oversees the California attorney general’s office’s new Privacy Enforcement and Protection Unit. Mr. LeBlanc had a number of interesting insights regarding this new office and indicated that online and mobile privacy, and enforcing privacy protections using existing state and federal laws, will be a particular focus of the state’s enforcement actions.
Travis: In July, Attorney General Kamala D. Harris announced the creation of the Privacy Enforcement and Protection Unit, which is a dedicated section of attorneys in our office, who will investigate and prosecute civil violations of federal and state privacy laws. That team will also be joined by Joanne McNabb, Director of Privacy Education and Policy. She will focus on doing outreach to industry about privacy concerns, as well as raising awareness among consumers about best practices around protecting your own privacy. She’ll also serve as an internal consultant on our privacy cases. We will bring her expertise to the work the attorneys are doing to address the privacy issues that are pressing today. Hopefully, that’s where we can best exercise our scarce resources.
Joshua: Regarding the creation of the unit, around six to seven months ago, the attorney general’s office announced the settlement with the application platforms, which would require privacy policies for all new applications. To what extent is this new Enforcement Unit a direct outgrowth of that earlier settlement?
Travis: Privacy and high-tech crime are two of Attorney General Harris’s top priorities. It became apparent to Attorney General Harris as we started to look at privacy issues over the past year-and-a-half that: (1) privacy law has become its own distinct area of the law that requires a certain expertise; and (2) it has become apparent that privacy law is not only emerging, but is also evolving with technology. As technology evolves, the privacy issues themselves, as well as the privacy concerns, are evolving. For example, it’s really only been a little more than a year that geo-locational concerns around privacy have been in the public eye. Privacy scholars and privacy advocates have been concerned about this for a little longer, but in terms of the public eye – what the everyday person is thinking about – geo-location has only come around in the past year or so. That created a whole new species of privacy concerns that people weren’t thinking about before, and it’s changing the way that we as people use technology and function. And once we realized these changes in the attorney general’s office, we knew we needed a dedicated team that could focus on this and not just do a little bit of privacy here and a little bit there. We also realized looking around the country, there weren’t many other regulators who were doing privacy enforcement work full time. We in California feel we have special responsibility over this kind of technology because a lot of it is developed here in this state. A lot of companies are headquartered here. Even when the technology isn’t developed or headquartered in this state, we have the largest economy of a state. We want to make sure the consumers are protected, and industry is protected as well.
Amy: Travis, you were mentioning specialization and having a group doing this full time. In addition to having those attorney resources dedicated, do you have technical resources in your unit?
Travis: Last year, in December, we created a high-tech crime unit called the eCrime Unit which investigates and prosecutes identity theft crime and crimes that involve the use or facilitation of technology, or where technology is targeted. With the creation of the eCrime unit, we also brought in a team of eight investigators who have been and are being trained in digital forensics, as well as in how to investigate high-tech crimes. We have their technological expertise. We are looking now to expand on the privacy side to have a technologist embedded in the unit, much like the Federal Trade Commission appointing Ed Felton last year as their first Chief Technologist. We realize the value of that. Having a technologist in-house will be a very valuable addition.
Amy: We couldn’t agree more. Going back procedurally, as a unit, do you plan to look for cases and problems sua sponte or will you wait for consumer complaints? We would just love to know some idea of how you will get your case load.
Travis: We don’t have any one means of intake. We are always open for business. So I’ll start there. In terms of how we might hear about potential privacy violations and how we’ve heard about them, we do receive consumer complaints. They directly call our office. The second way we get them is all of the attorneys and employees in the office read the newspaper or follow blogs. If a concern is raised in any one of those, it could be turned over to the unit. Obviously, we have good relationships with the privacy advocates that are out there. When they learn about problems or have concerns, they contact us. Also, we might have ongoing cases that might involve something else, a general consumer protection issue, say fraud, and in the course of that, if we learn about an issue with the company’s privacy practices, that would then get the attention. That certainly has happened before. We even review a number of websites where consumers are lodging their complaints about a particular website or product. It’s not that we just look at the complaints that come to us, or look at blogs. We also look at discussion forums and see what’s going on, and we collaborate with other state attorneys general and regulators in matters as well. Sometimes other states or the Feds call us. Lastly, certain kinds of conduct or privacy issues, such as data breaches, are required to be reported to us. That’s another way we learn about potential problems. As those reports come in we will evaluate them and then pursue them where appropriate. So there are a lot of different ways we can hear about cases and, of course, we make a decision about which to pursue and which not to pursue.
Amy: It seems like you’re viewing jurisdiction the broadest way possible, you want to focus on mobile privacy and mobile security.
Travis: We are focusing most intently on the mobile space because it seems most relevant to Californians today.
Amy: So it’s a number of items under the mobile umbrella.
Travis: Yes, we are clearly focused there because that’s what most consumers are interacting with, but there are a lot of other privacy concerns that are out there that we do deal with. And they will also continue to be on our agenda.
Joshua: Regarding the mobile space, it seems as though there are a lot of different players and levels in the space. As we mentioned, you’ve already entered into a settlement with some of the platforms. Are you going to be looking at specifically the consumer-facing players, such as the applications themselves or maybe the companies involved in mobile advertising, or would you be looking at things in the background that consumers may not be aware of, such as analytics companies?
Travis: We are playing close attention to the mobile ecosystem. If you are in an ecosystem, we are paying a lot of attention there.
Amy: That’s certainly understandable.
Joshua: Tying back to what you said earlier about geo-location data as something that has recently come to the forefront of the majority of people’s understanding: What are your thoughts of other types of sensitive information or potentially sensitive information, such as device ID, where people in the industry are aware but the general public may not be?
Travis: My view, in this day and age, is that pretty much everything might be identifiable. Back in the day, you say your name, your address, you put it together – we thought those were PII. We now live in a world where because of the technological capacity available to anyone really to re-identify putatively anonymous data sets, I think that the best way to approach it as a company is to initially consider any data associated with an individual, as identifiable. I think that’s the safest way of conduct, in this day and age. I think to try to separate them and to decide what’s identifiable and absolutely non-identifiable is risky. I think the safest course of conduct is to treat them all as potentially identifiable. Once consumers find out their information has been released, they will have security concerns about any information they’ve shared with the company.
Amy: Thinking of Reed Smith’s client base, we have good actors we work with who find themselves making really tough decisions regarding how to collect and use data. Something that’s at the forefront of our minds is, in the event that your unit finds a violation or suspected violation, will it first contact the provider and give them an opportunity to cure the defect?
Travis: The attorney general would like to take a very collaborative approach with industry when it comes to regulation. I think we are inclined to reach out first, and have that initial contact to get any problem corrected; it gets tougher if people have paid for products that they thought did one thing and the products in fact do something else. But I think the natural inclination is to reach out to them first and get the industry to correct the problem. I can think of a substantial number of instances where we’ve done that, and gotten the issue corrected, rather than immediately filing an enforcement action.
Amy: And is it safe to say there’s probably a line of consumer fraud – it’s a slippery slope, of course – to help with compliance and enforcement mindset? Once we move from consumer privacy to consumer fraud, your ability to be proactive and be conciliatory certainly wanes.
Travis: Yes, it definitely gets more difficult. I think when it comes to data breaches, for example, it’s hard for us to reach out and then get them to correct it. That’s a harder scenario. If you find out there were all of these reasonable data protections they should have just had in place, the business for a reason took a risk. It’s much harder after the breach to call in and say we wish you had corrected this. On the other hand, if you have two app developers working out of a garage and they’ve created a really cool app that 500,000 people around the world have downloaded and there was a privacy issue that comes up, if we start litigating with them and start sending subpoenas, they will have to hire attorneys, the cost of litigation is high, and we risk shutting down the business. That’s an instance where we want to get them to correct it, and then if they don’t want to correct it, at that point it may be better to turn to our more traditional tools of enforcement. That’s the difficulty we have – trying to balance between established corporations that you know are doing business with 500,000 people and two people in a garage doing business with 500,000 people. We have not traditionally had to deal with that asymmetry. In the past, it was highly unlikely that two people would do business with 500,000 people across the county or even the world.
Amy: These niche providers and niche app developers are so sexy right now. You have the dynamic where big, Fortune 500 companies are selecting two guys in a garage who can process analytics for a particular piece of software. The relationship portion of this is something I always struggle with. Do you have any industries you are targeting initially? Data? Financial?
Travis: A law that requires companies that have data breaches involving more than 500 Californians to report to our office went into effect this year. This is the first time that any one agency in the state of California has had access to all of the data breaches involving more than 500 people. The numbers last year were surprising. There was a point last year where it seemed as if there was a massive data breach involving millions of people, every week. This year we’re still seeing lots of data breaches. They’re happening too frequently and they’re involving way too many people. Something has to be done. Now that we have these reports, now that we have the team devoted, I think that for us, this is low-hanging fruit.
Amy: So it’s going through your existing list of notices and seeing if any of those companies have items that need to be reviewed?
Travis: Yes, we’re developing criteria for which ones to target for further inquiry and investigation. We will have a way of doing real-time reviews of sorting out those that are not worthy of investigation, take those that we think are worthy of further inquiry, follow up, review it again, and decide if it needs to be an enforcement matter. And then decide if those are a criminal matter. That’s an easy target because we already have them. We can start working on those pretty quickly.
Amy: That’s fantastic. Is there anything we haven’t touched upon you would like to talk about?
Travis: I think the only other thing I briefly hit but that I want to emphasize is that, while the unit is about enforcement, it’s also about education, awareness and outreach. This is a very important component of the unit’s work to the attorney general. For example, we’re doing best practices. We have a document coming out soon, best practices in the mobile privacy space. We’re working with industry to develop best practices around privacy in the mobile space. I think you’ll see that we find that we can often be more successful when we collaborate with industry than when we do enforcement. One example is our apps agreement. Before the apps agreement, the Future of Privacy Forum did a study looking at the number of top free apps in the app store with privacy policies, and they found that 40 percent had them. They did another study five months after the settlement, same study, and found that the number of top free apps in the app store with privacy policies had doubled to around 84 percent. We didn’t file a single subpoena, or file a single enforcement action; yet we were able to double compliance with California law. When we have to go to enforcement action, it’s us versus one entity, and sure, once we get a decision or actual settlement, lawyers read it in the news and companies read it in the news and they may modify their policies. If we can quickly double compliance with our law without having to sue someone, that’s a big win for everybody. So I want to emphasize that while enforcement is there, we recognize the importance of collaborating with industry. There’s room for industry collaboration and we will actively pursue that to bring about results that not only improve consumer protection, but that also don’t stifle innovation unduly.
Joshua: Do you see California as being able to drive the policy discussion?
Travis: Yes, I believe Attorney General Harris is leading that discussion. She sees that we are the largest state, we have the largest economy when it comes to the technology which we are all talking about, it’s developed in our backyard. California has a special platform that we can use to move the policy debate forward on technology issues – whether they involve privacy, high-tech crime, competition in tech markets, or technology for law enforcement. California traditionally has been a bellwether state on privacy issues. California was the first state to pass a Do-Not-Call law. It was the first state to pass a data breach law. It was the first state to require online privacy policies. Attorney General Harris is continuing that leadership.
Amy: We think so, too.