A few odds and ends this week. First, Baer Business Law’s official (i.e., bears the imprimatur of our marketing department!) happy hour recommendation for the first week in August is Finn McCools, located at the corner of 12th and Sansom Streets in what (this week) is called the Midtown Village area of Center City.
Baerbizlaw's happy hour pick of the week
Finn’s is a hopping amalgam of the old-school Irish pub and the sleek, 21st century Center City gastropub. The food is a step above traditional bar fare (try the Ahi tuna nachos, in particular), although Finn’s is not one of those chi-chi-fru-fru (feel free to correct my spelling) Old City bars where you pay $8 for Yuengling lager in a bottle. Solid drafts and happy hour specials abound, and for attorneys, there is the added benefit of mingling with many of Philly’s freshest young DA’s. (Since Lynne Abraham & Crew moved to the Wannamaker building a couple of years ago, Finn McCools has replaced Mace’s Crossing on the Parkway as the prime DA happy hour hangout.) I occasionally show up and try to represent the beleaguered private sector at these gatherings.
While you’re quaffing your Stella at Finn’s, let’s talk about California. As any technology lawyer can tell you, California for years has been the laboratory and incubator for privacy and data security legislation (although Massachusetts and Nevada are now giving it a run for its money). California Senate Bill 1386, which took effect in 2003, was the first broadly applicable requirement mandating the sending of notices if personal information is potentially compromised in a data breach, and as we all know, most states in the Union, as well as D.C., have now emulated the California approach. Senate Bill 1, which also became effective in 2003, set standards for the privacy of financial information that went beyond the federal Gramm-Leach-Blilely Act (for example, by requiring financial institutions to obtain opt-ins from their customers before sharing non-public personal information with unaffiliated third parties). In addition, a 2005 law was an early prototype of more assertive prevention-focused data security legislation, requiring business that own or license personal information about California residents to use reasonable security measures to safeguard that information and to require unaffiliated third parties to which they disclose this information to do the same.
One can disagree ideologically with California’s top-down, paper-heavy, micro-managerial regulatory approach (and I frequently do!), but no one can deny the state’s importance in pioneering the law of privacy and data security. Therefore, if you’ll forgive a shameless plug, I am really looking forward to traveling to San Francisco to speak at the Compliance Decisions conference on September 17 about Nevada’s new data security statute (which requires encryption and PCI DSS compliance) and updates in California data security law. The best analogy I can make is that this is like giving a talk on Catholic theology in the Sistine Chapel.
One of the topics I plan to touch on is Senate Bill 20, an amendment to California’s original data breach law that is now making its way through the legislature. This bill sets very specific requirements with respect to the content of any data breach notice required under California law — for example, requiring a general description of the breach incident, a list of the types of personal information subject to the breach, the estimated number of persons affected by the breach (if determinable) and information about the date of the breach, among other things. If the breach notice is required to be sent to 500 or more California residents, the bill also requires the sender to provide an electronic sample copy to the state attorney-general. Minor amendments to SB 20 were made in the California Assembly on July 23, and the legislation will most likely be passed and signed into law later this year.
As always, please continue to visit www.baerbizlaw.com for updates on Philly watering holes, California privacy and data security legislation, and the world of technology law, which like happy hour libations, is always in a constant state of ferment.
I’m curious as how Nevada could be considered a ‘incubator for privacy and data security legislation’. I understand Massachusetts as it is a bio-pharma hub. But Nevada?
As I live in Reno I would love to be educated in how this could be.
I don’t know many people that would be overly ecstatic in stealing 80 year olds comp card numbers…
Nevada traditionally hasn’t fulfilled this role, and California was at the forefront until 2008. However, by passing and then strengthening a law that specifically requires the encryption of personal information transmitted outside of secure networks or stored on portable devices and media moved beyond a business’ physical and logical controls, Nevada (and Massachusetts, which passed an encryption law around the same time) took the lead. They did this by abandoning the largely technology-neutral approach used by previous state and federal data security legislation. Why Nevada, of all states, became part of the vanguard is a good question. Despite the housing bust in Nevada, up to now it has been one of the fastest-growing states in terms of both population and its economy, and its tax-friendly environment attracts business incorporations. Therefore, there is a large and burgeoning amount of business activity in Nevada that involves the collection, storage, use and/or transmission of personal information and/or cardholder information (which is covered by the statute’s PCI DSS compliance requirement) — everything from hotels and resorts, to high-tech businesses, to check cashing agencies. They say that what happens in Vegas stays in Vegas, but if it leaves Vegas for any reason, it now has to be encrypted. I expect other states to follow suit soon, but for the moment Nevada and Massachusetts are the trailblazers.