Dawn Valentine

Dawn Valentine has no picture


Articles By This Author

California's Reader Privacy Act: What Every Bookseller Must Know

On January 1, 2012, the California Reader Privacy Act went into effect. The Act requires all “book service providers,” i.e., book sellers, in the State to take certain steps when responding to governmental requests for user information and to make specific reports and disclosures regarding those requests.

The Act protects unauthorized disclosure of private information regarding books and book readers.

California consumers are increasingly utilizing digital book services and providers and in connection therewith such entities may collect detailed personal information about consumers such as books browsed, how much time is spent reading each page, and digital notes made in the margins. The Act is meant to address implicated privacy issues and codify the privacy and free speech safeguards for expressive records guaranteed by the California Constitution. 

The Act prohibits book service providers—defined as any service that has as its primary purpose the “rental, purchase, borrowing, browsing, or viewing of books”—from knowingly disclosing the personal information of any of its users to a law enforcement agency except per a valid court order based on probable cause and a determination that the requesting agency has a compelling interest in obtaining the information that could not be obtained by less obtrusive means. 

Prior to issuing an order to disclose user information, the book service provider must have been provided “reasonable notice” to allow it the opportunity to appear and contest the issuance of the order. 

Once a book service provider receives a court order seeking disclosure of a user’s personal information, the service provider must notify the user so that he or she has a chance to appear or quash the order. 

The Act also imposes certain reporting requirements on all book service providers. If a book service provider discloses the personal information of 30 or more California users in a year it is required to prepare a report that is to be made publicly available in an online searchable format. A book service provider with a commercial web site is required to either create a prominent hyper link to the report required under this Act or state that no report was prepared because the service provider was exempt from the reporting requirement. (because less than 30 disclosures were made). 

The provisions of the Act are ignored at a book service provider’s peril. A service provider that violates the Act is subject to civil penalties to the user and/or Attorney General and the Act may be the basis of civil actions and liability brought by either the user or an attorney general or district attorney within two years of discovery of any violation of the Act. 

For more information or any questions regarding the requirements of the newly enacted Reader Privacy Act, please contact Dawn Valentine, 415-743-3731 dvalentine@bargerwolen.com.

Privacy - New California Security Breach Notification Requirements Set Standard Core Content for Notification Letters

The purpose of this alert is twofold: (1) to remind our clients that both federal and state law requires financial institutions and most businesses to safeguard their customers’ information; and (2) to advise of new requirements for security breach notification letters.

In 2002, California adopted a first-in-the-nation security breach notification statute (AB 700, Simitian) (the “Security Breach Notification Law”).

The Security Breach Notification Law requires companies that do business in California and retain their customer’s personal information to notify individuals when there has been a data breach involving their personal information. 

Background

Since 2002, 45 other states, as well as the District of Columbia, Puerto Rico, and the U.S. Virgin Islands, have also enacted security breach notification laws that are modeled upon California’s Security Breach Notification Law. Only Alabama, Kentucky, New Mexico and South Dakota do not have security breach notification laws.

Moreover, 14 states (Hawaii, Iowa, Maryland, Massachusetts, Minnesota, New Hampshire, New York, North Carolina, Oregon, Vermont, Virginia, West Virginia, Wisconsin, and Wyoming) and Puerto Rico have built upon California’s model and added more detailed requirements for security breach notifications to include certain types of information.  

Further, the federal government has weighed in. As of February 19, 2009, for breaches of personal medical information, individuals have to be notified and those notifications must contain certain specified content.

Still further, most of these states require a business that suffers a security breach to notify a state regulator, such as the Attorney General, in addition to the affected individuals (Alaska, Hawaii, Louisiana, Maine, Maryland, Massachusetts, New Hampshire, New Jersey, New York, North Carolina, South Carolina, Vermont, and Virginia).  

SB 24 Data Breach Notification

Accordingly, not to be outdone as the leader in consumer protection, effective January 1, 2012, California adopted new requirements (SB 24 – amending Civil Code sections 1798.29 and 1798.82) for what information must be put in a security breach notification letter. 

The purpose underlying these new requirements is to close a gap that has been identified – the old requirements simply required data holders to notify individuals when there had been a data breach involving personal information but were silent on what information should be contained in the notification.

As a result, security breach notification letters varied greatly in the information provided leaving consumers confused and not providing answers to the questions of what information was breached, when did the breach occur, and what consumers should do to protect themselves.

Moreover, businesses were left exposed and uncertain of what was expected of them in the event of a breach.  

The new requirements fill this gap by establishing standard, core content for the notification letters. Specifically, the new law requires that security breach notification letters, at a minimum, contain the following information:

  1. The name and contact information of the reporting agency, person, or business;
  2. A list of the types of personal information that was compromised or the subject of the breach;
  3. Any of the following, if the information is possible to determine at the time the notice is provided: the date or estimated date of the breach, or date range within which the breach occurred;
  4. The date of the notice;
  5. Whether the notification was delayed because of an investigation by law enforcement, if the information is possible to determine at the time the notice is provided;
  6. A general description of the breach incident, if the information is possible to determine at the time the notice is provided; and
  7. The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a social security number, or a driver’s license or California Identification Card number.

This new law also provides that an agency, person, or business may also include the following information in a security breach notification, at its discretion:

  1. Information regarding what the entity has done to protect individuals whose information has been breached; and
  2. Advice on steps that the individual may take to protect himself or herself.

The new requirements also obligate any agency, person, or business that is required to provide a security breach notification to more than 500 California residents as a result of a single breach of the security system to submit a single sample copy of the notification electronically to the California Attorney General. That copy shall not be considered to be a record of complaint or investigation under the California Public Records Act.

The purpose of this alert is twofold: (1) to remind our clients that both federal and state law requires financial institutions and most businesses to safeguard their customers’ information; and (2) to advise of new requirements for security breach notification letters.

Generally, safeguarding standards applicable to financial institutions and most businesses require the creation and implementation of a comprehensive written information security program that includes administrative, technical and physical safeguards to: (1) ensure the security and confidentiality of customer information; (2) protect against anticipated threats or hazards to the security or integrity of such information; and (3) protect against unauthorized access to or use of such information. 

Since security breaches catch the attention of the big media, if you are not in compliance with your safeguarding obligations now is the time to come into compliance. 

If you have any questions or comments about your safeguarding obligations, please don’t hesitate to contact Dawn Valentine at (415) 743-3731; dvalentine@bargerwolen.com

Older Entries