Health Privacy, Data Breaches in Sights Of California AG, Technology Assistant Says

By Joyce E. Cutler, Privacy & Security Law Report

Reproduced with permission from Privacy & Security Law Report, 12 PVLR 521 (March 25, 2013). Copyright 2013 by The Bureau of National Affairs, Inc. (800-372-1033) <http://www.bna.com>

PALO ALTO, Calif.--Looking to move beyond its mobile applications privacy enforcement efforts, the California Office of the Attorney General is focusing its consumer protection efforts on health privacy as well as investigating data breaches, Special Assistant California Attorney General for Technology Travis LeBlanc said March 21.

The Office of the Attorney General this spring will be releasing two reports--one on medical identity theft and a second analyzing data breach notifications to the AG, LeBlanc, who is senior advisor on technology, privacy, and cybersecurity to AG Kamala Harris (D), told lawyers and technologists at a University of California Berkeley Center for Law & Technology privacy symposium.

“AG Harris is paying close attention to how providers and record management companies are accomplishing the move to digital medical records,” he said.

“We're also redoubling efforts to protect Californians from the dangerous effects of data breaches,” he said. Under a law enacted in August 2011, covered entities must report data breaches affecting more than 500 residents, LeBlanc explained.

The percentage of mobile apps with privacy policies rose from 40 percent to 84 percent in less than a year, according to Travis LeBlanc, special assistant California attorney general for technology.

He said 160 breaches were reported to the AG in the first year after the new law took effect Jan. 1, 2012.

Centralized reporting allows the AG to analyze trends about what practices and what sectors are more susceptible to breaches, LeBlanc said. The forthcoming data breach report will focus on the results of that analysis, he said.

“We plan to use the report to determine which among these breaches merit further investigation, and where appropriate, enforcement actions,” he said, adding that additional enforcement is coming “this year.”

Mobile Apps Compliance, New Legislation.

California's first-in-the-nation privacy policy principles for mobile applications have meant the percentage of mobile apps with privacy policies rose from 40 percent to 84 percent in less than a year, LeBlanc said, adding that they are aiming for 100 percent compliance.

“Ultimately, in my view, our mobile apps best practices document reflects elementary principles of ethics: be honest; don't be greedy; allow people to exercise their autonomy; [and] be accountable.”

Just as brick-and-mortar stores should be concerned about what activity takes place on their premises and what billboards are placed on their buildings, “an online business, a mobile app, should concern itself with what activity is ongoing through its platform or its app, what it's facilitating, what advertising is taking place on its site,” LeBlanc said.

“Conversely, apps should take responsibility for what is happening with the advertisers themselves who may be collecting information through their apps. Business should not support bad actors in the online world just as they wouldn't in the offline world,” he said.

LeBlanc noted that several digital privacy bills introduced this year in the California Legislature seek either to amend California's Online Privacy Protection Act (OPPA) or to regulate some facet of digital privacy .

LeBlanc said the AG supports A.B. 370, which would amend the OPPA to include in the terms of service whether an operator of a commercial website or online service that collects personally identifiable information will honor do not track signals from browsers.

He noted that another bill this session (A.B. 257) would establish minimum privacy protections for users of mobile apps in California.

The AG is examining legislation (S.B. 46) that would require the reporting of password breaches in certain circumstances, LeBlanc said.

The bill would extend the state's data breach notification law to apply to passwords, user names, and security questions and answers to accounts other than financial accounts.

S.B. 46 recognizes “that digital privacy is not just a civil liberty concern, but is also a cybersecurity and public safety concern. It is especially important to identify passwords and credentials breaches because so many people use their password for multiple websites, and those passwords are only as safe as the security questions,” LeBlanc said.

Unique Legal, Technology Position.

California has a unique legal position with a constitutional right to privacy, LeBlanc noted. Moreover, the California Online Privacy Protection Act, Cal. Bus. & Prof. Code §§ 22575-22579, requires commercial operators of online services, including mobile and social media apps, to conspicuously post a privacy policy informing users of what personally identifiable information is being collected and how it will be used.

In the absence of a federal standard “it really is incumbent to the states to step in and serve as the laboratories for innovation,” LeBlanc said.

“California is the ninth largest economy in the world. The vast majority of technology that we're talking about is developed here. The companies behind it are headquartered here,” LeBlanc said.

California has a special relationship with modern technology. “There is no question at least in my mind that the engine of innovation combusts in California,” LeBlanc said.

Just as the New York attorney general is often called the sheriff of Wall Street, “the attorney general of California has a comparable perch from which to ensure Silicon Valley treats consumers fairly, respects their rights, and protects their safety online and off,” LeBlanc said.

Yet the traditional tools of legislation, regulation, and litigation insufficient to deal with digital age innovation, LeBlanc said. “The velocity of innovation has outpaced the inertia of our regulatory system,” he said.

And regulators must adapt how they regulate, which is why the AG is engaging in cooperative efforts educating attorneys, developers, and consumers, reporting results, and partnering with industry, LeBlanc said.

By Joyce E. Cutler

Copyright 2013, The Bureau of National Affairs, Inc.