With the proliferation of intentional computer hacks and unintentional security breaches, this past year has heralded increased scrutiny of data privacy practices as well as enhanced state, federal, and international regulations governing cybersecurity and data privacy. This article highlights the changing legal landscape of cybersecurity and data privacy over the past year and what to expect in the year ahead.

California

Attorney General’s Data Breach Report

California continued to lead the nation in passing legislation and regulatory guidance intended to protect the online personal information of its residents. In February 2016, the California Office of Attorney General released its Data Breach Report, which comprehensively analyzes the data breaches reported to its office between 2012 and 2015.[1] Notably, the Report cites the Center for Internet Security’s list of Critical Security Controls (the Controls) as the standard for “a minimum level of information security that all organizations that collect or maintain personal information should meet.”[2] The Report asserts that a “failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.”[3] 

Thus, businesses storing or processing the personal information of California residents should implement the Controls, which are, for the most part, written in simple language and fairly easy to follow. The Controls can help a company assess how compliant its security measures are, and they provide concrete measures for a company to take to enhance its cybersecurity.

Data Breach Notification Law Amendment

In response to the Anthem Health Care data breach in February 2015 and the increased frequency and magnitude of data breaches affecting California residents, the California Legislature passed and enacted Assembly Bill 2828.[4] The law amends the California Data Breach Notification Law and took effect as of January 1, 2017.

Essentially, AB 2828 modifies the former encryption safe harbor provision of the California Data Breach Notification Law. Under the former version of the Data Breach Notification Law, a safe harbor provision exempted encrypted personal information from the law’s notification requirements in the event of a data breach. However, the proponents of the amendment raised the concern that if the keys to unlock the encrypted data are also stolen before, during or after the original breach, then the data stolen might as well have not been encrypted.

To close this security loophole, AB 2828 only allows an encryption safe harbor so long as the encryption key or security credential was not also breached or acquired by an unauthorized person.[5] The “encryption key” and the “security credential” mean “the confidential key or process designed to render the data useable, readable, and decipherable.”[6] 

In the event that both the encrypted personal information data and the encryption key or security credential are both breached, then the company that owns such data must follow the notice requirements set forth in the statute, which includes notifying the affected California residents as expediently as possible.[7] Such notice must include specific information required under the statute.[8]

European Union

US-EU Privacy Shield

In October 2015, the European Court of Justice invalidated the former Safe Harbor program that governed the transfer of personal data between the U.S. and the EU. Four months later, the EU announced a new framework for the transfer of such data, the Privacy Shield, which went into effect in August 2016.

The new Privacy Shield framework includes more stringent requirements than the former Safe Harbor paradigm. The Privacy Shield functions as a self-certification process, requiring companies that process EU personal data to develop and implement privacy policies and procedures that conform to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability.[9]

The Privacy Shield’s future is already plagued with uncertainty. First, the Privacy Shield has been challenged in Europe’s General Court by European-based privacy groups.[10] Second, the Privacy Shield compromise is based on commitments made in letters between the Obama Administration and the European Commission regarding mass surveillance. The new Trump Administration’s recent actions suggest that such commitments may not be honored by the U.S. government. Furthermore, the President’s Executive Order on Enhancing Public Safety in the Interior of the United States, issued on January 25, 2017, could potentially jeopardize the Privacy Shield framework.[11]

General Data Protection Regulation (GDPR)

In April 2016, the European Parliament passed the General Data Protection Regulation (GDPR), which will take effect in May 2018.[12] The regulations apply to companies that control or process personal data of people residing in the European Union, regardless of whether the company processing the data is located within the EU or not.[13] Given the significant technological and logistical requirements of the GDPR, companies conducting business in the EU are already beginning to take measures in preparation for compliance with these new regulations.

The GDPR will impose more comprehensive restrictions on how personal data of EU residents can be processed, including limitations on what data can be held and processed and limitations on who can access personal data. The GDPR will also provide data subjects with greater rights and control over their own personal data, including rights of transparency and access, the right to be forgotten, and the right of portability of their data.

In contrast to California’s laws encouraging encryption, the GDPR emphasizes the use of pseudonymization.[14] Although the use of pseudonymization does not automatically exempt the data processor from the GDPR, many of its requirements are relaxed for controllers who use pseudonymization.[15] Also, in certain instances, the use of pseudonymization may allow the data controller to avoid notification of breaches.[16]

China

Network Security Law

In November 2016, China’s National People’s Congress passed the Network Security Law (NSL) a/k/a Cybersecurity Law, the first-ever national comprehensive legislation regulating cybersecurity and data privacy in China. The NSL applies to “the construction, operation, maintenance and usage of networks” within mainland China.”[17] “Network” is broadly defined as “systems comprised of computers or other information terminals and related equipment that follow certain rules and procedures for information gathering, storage, transmission, exchange and processing.”[18] 

The law contains more stringent requirements for “critical information infrastructure operators”, who must store data collected within mainland China territory within mainland China’s borders (i.e. not in Hong Kong or any other country).[19] Exceptions are available if storage outside the mainland is “truly necessary,” but the critical information infrastructure operator must work with the State Council to be eligible for such an exception.[20]

The NSL includes provisions that essentially codify the Chinese government’s restrictions on Internet usage and require companies to monitor and censor “prohibited” content.[21] The law also provides for data security and privacy requirements for all network operators, including the following:

• formulating an emergency response plan for “network security incidents” and notifying the government and users of data breaches;[22]

• providing “technical support” to government agencies during investigations;[23]

• obtaining the data subject’s consent for collecting personal information;[24]

• refraining from providing personal information to a third party unless the data subject expressly consents or the data has been made anonymous such that the identity of the data subject is not recoverable;[25]

• ensuring that all personal information collected is secured and protected from being leaked, destroyed, or lost.[26]

Noncompliance with the NSL can carry significant consequences, including monetary fines on both the company and the responsible individual(s).[27] The government is also authorized to shut down a noncompliant company’s website and revoke its license to conduct business.[28] For “serious” violations involving the endangerment of “national security,” the violator can be detained for five to fifteen days.[29] 

Draft Security Standards

On December 21, 2016, China’s National Information Security Standardization Technical Committee (NISSTC) released a draft version of cybersecurity and data protection standards called the Information Security Technology -- Personal Information Security Specifications. The draft standards provide more detailed guidelines for best data privacy and cybersecurity practices for companies operating in China. The standards provide specific requirements for notice and consent, breach notification procedures, the scope and nature of recommended data privacy audits and risk assessments.  They also include a model privacy notice.

Recommended Practices

Large and small businesses that store, transfer, or process personal information should implement strong cybersecurity and data privacy policies and practices to protect their valuable and confidential data. These policies and practices should also align with the various regulatory and legal requirements that govern their business operations in both the United States as well as foreign jurisdictions. Such practices should include, at a minimum:

• Creating a cybersecurity plan that details the organization’s response strategy to a security breach;

• Contractually requiring business partners to comply with the organization’s data privacy and cybersecurity policies (e.g. to ensure data is encrypted and that the encryption keys are secured);

• Maintaining strong data privacy policies and procedures for administrative, technical, and physical safeguards of personal information and encryption keys and to ensure security and confidentiality of data; and

• Routinely training employees on the organization’s cybersecurity and data privacy policies and procedures.

Author: Brittny Bottorff, Attorney

The Maier Law Group helps companies ensure that their policies and practices comply with the relevant data security and cybersecurity laws and regulations.  We also offer tailored cybersecurity training for companies. Please contact us at info@maierlawgroup.com for more information.

This article has been prepared for general informational purposes only and does not constitute advertising, solicitation, or legal advice. If you have questions about a particular matter, please contact the Maier Law Group directly.

[1] See California Data Breach Report, February 2016, Kamala D. Harris, Attorney General, California Department of Justice.

[2] Id. at v.

[3] Id.

[4] See ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION AB 2828 (EdChau, Chair) As Introduced Feburary 19, 2016, available at http://www.leginfo.ca.gov/pub/15-16/bill/asm/ab_2801-2850/ab_2828_cfa_20160331_171336_asm_comm.html. 

[5] Cal. Civ. Code § 1798.82(a).

[6] Cal. Civ. Code § 1798.82(k).

[7] Cal. Civ. Code § 1798.82(a).

[8] Cal. Civ. Code § 1798.82(a).

[9] US-EU Privacy Shield Framework, Requirements of Participation, available at https://www.privacyshield.gov/article?id=Requirements-of-Participation. 

[10] See Application, Digital Rights Ireland Ltd v. Commission, Case T-670/16, 2016 O.J. (C 410) (Sept. 16, 2016) and Application, La Quadrature du Net and Others v. Commission, Case T-738/16, 2017 O.J. (C 6) (Oct. 25, 2016).

[11] See, e.g., Burgess, Matt, New Presidential Order Could Wreck US-EU Privacy Shield, Wired January 27, 2017.

[12] See Regulation (EU) 2017/679 of the European Parliam and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.52016, available at http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf. For detailed review of the coming changes, visit the EU GDPR website at http://www.eugdpr.org/the-regulation.html.

[13] GDPR, at Articles 1, 3.

[14] The GDPR defines “pseudonymization” as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.” See GDPR, at Article 4(5).

[15] GDPR at Articles 6(4)(e), 15-20, 89(1), 25(1), 32(1)(a).

[16] Id. at Article 31.

[17] PRC Network Security Law (promulgated by the Standing Comm. Nat’l People’s Cong., Nov. 7, 2016) Art 2.

[18] Id. at art. 76(1).

[19] Id. at art. 37.

[20] Id.

[21] Id. at art. 47, 58, 68.

[22] Id. at art. 21, 25-26, 42.

[23] Id. at art. 28.

[24] Id. at art. 41.

[25] Id. at art. 42.

[26] Id. at art. 42.

[27] Id. at art. 59-75.

[28] Id.

[29] Id. at art. 63.