Our new offices in Old City

My biggest challenge in putting the presentation together was to connect all of these dots into some type of coherent pattern. At the beginning of the summer, it looked like we were moving to a much more “prescriptive,” technology-specific, top-down style of data security regulation in the former Massachusetts mold (rigorous computer system security and personnel access control requirements for all businesses owning or licensing personal information, 128-bit encryption, etc.). Then Massachusetts did an about-face, and other states failed to follow the Nevada and Massachusetts model of requiring encryption for personal information transmitted over open networks or stored on portable devices.

The two federal data security bills would set a national data breach standard and national standards for implementing data security safeguards, but are largely technology-neutral (Congressman Bobby Rush’s H.R. 2221 even goes so far as to prohibit the FTC from setting specific technological requirements!). At the end of the day, I told my largely California-based audience that their state data security statute (the original data breach notice legislation combined with a requirement to use reasonable data security safeguards appropriate to the nature of the data) would likely be the paradigm for national and other state data security legislation. California is the trend-setter for insanity in many areas of the law, but its regime seems relatively sane when compared, for example, with the earlier, anal-retentive version of Massachusetts’ 201 CMR 17.00.

While the breeze in San Francisco Bay was lovely, it’s good to be back in the City of Brotherly Love, and in new digs, too. More to come.

Baerbizlaw's happy hour pick of the week

While you’re quaffing your Stella at Finn’s, let’s talk about California. As any technology lawyer can tell you, California for years has been the laboratory and incubator for privacy and data security legislation (although Massachusetts and Nevada are now giving it a run for its money). California Senate Bill 1386, which took effect in 2003, was the first broadly applicable requirement mandating the sending of notices if personal information is potentially compromised in a data breach, and as we all know, most states in the Union, as well as D.C., have now emulated the California approach. Senate Bill 1, which also became effective in 2003, set standards for the privacy of financial information that went beyond the federal Gramm-Leach-Blilely Act (for example, by requiring financial institutions to obtain opt-ins from their customers before sharing non-public personal information with unaffiliated third parties). In addition, a 2005 law was an early prototype of more assertive prevention-focused data security legislation, requiring business that own or license personal information about California residents to use reasonable security measures to safeguard that information and to require unaffiliated third parties to which they disclose this information to do the same.

One can disagree ideologically with California’s top-down, paper-heavy, micro-managerial regulatory approach (and I frequently do!), but no one can deny the state’s importance in pioneering the law of privacy and data security. Therefore, if you’ll forgive a shameless plug, I am really looking forward to traveling to San Francisco to speak at the Compliance Decisions conference on September 17 about Nevada’s new data security statute (which requires encryption and PCI DSS compliance) and updates in California data security law. The best analogy I can make is that this is like giving a talk on Catholic theology in the Sistine Chapel.

One of the topics I plan to touch on is Senate Bill 20, an amendment to California’s original data breach law that is now making its way through the legislature. This bill sets very specific requirements with respect to the content of any data breach notice required under California law — for example, requiring a general description of the breach incident, a list of the types of personal information subject to the breach, the estimated number of persons affected by the breach (if determinable) and information about the date of the breach, among other things. If the breach notice is required to be sent to 500 or more California residents, the bill also requires the sender to provide an electronic sample copy to the state attorney-general. Minor amendments to SB 20 were made in the California Assembly on July 23, and the legislation will most likely be passed and signed into law later this year.

As always, please continue to visit www.baerbizlaw.com for updates on Philly watering holes, California privacy and data security legislation, and the world of technology law, which like happy hour libations, is always in a constant state of ferment.