2015 Developments in Cyberspace Law

• Publication year: 2016
• Author: Ravi Puri

2015 Developments in Cyberspace Law

Ravi Puri

Ravi Puri is a Director and Senior Legal Counsel with Western Digital Technologies, Inc. in Irvine, California and focuses on helping clients with e-commerce, consumer products, and general business matters. Ravi is Co-Vice Chair of the State Bar of California's Cyberspace Law Committee.

With an eventful 2015 behind us, this article focuses on the plethora of notable legal developments that arose in Cyberspace law and that impacted online businesses and consumers. Much of the content for this article is derived from contributions from members of the Cyberspace Law Committee who regularly submit e-bulletins to keep interested BLS section members up to date on the latest Cyberspace law developments. Several new legislative enactments this past year dealt with issues related to the protection of personal information. At the federal level, there were important decisions related to the Americans with Disabilities Act ("ADA"). At the state level, there were also a number of important rulings impacting general business operations online and new litigation practices.

California Legislation

Assembly Bill 1541 (2015-2016 Reg. Sess.) (Gatto) - Privacy: Personal Information.

This bill amends section 1798.81.5 of the Civil Code. On July 14, 2015, Governor Jerry Brown signed Assembly Bill 1541 into law to expand the definition of "personal information" in the context of any personal information owned, licensed, or maintained about Californians within a business's internal customer account or for the purpose of using the information in transactions with the person to whom the information relates. Businesses that own, license, or maintain such information are required to implement and maintain reasonable security procedures and practices to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

The definition of "personal information" will now also include the following information that needs to be protected:

1. if unencrypted, an individual's first name or first initial and his or her last name in combination with "Health insurance information" - an individual's insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual's application and claims history, including any appeals records; and
2. A username or email address in combination with a password or security question and answer that would permit access to an online account.

Effective Date: January 1, 2016

Assemb. B. 1541, 2015-2016 Reg. Sess., 2015 Cal. Legis. Serv. ch. 96 (West). The full text of Assembly Bill 1541 is also available at http://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201520160AB1541.

Assembly Bill 964 (2015-2016 Reg. Sess.) (Chau) - Civil Law: Privacy.

This bill amends sections 1798.29 and 1798.82 of the Civil Code. On October 6, 2015, Governor Jerry Brown signed Assembly Bill 964 into law to define the word "encrypted" in the context of a data security breach involving computerized data. Currently, a breach involving unencrypted personal information that was, or is reasonably believed to have been, acquired by an unauthorized person requires a business to disclose such breach and notify impacted individuals.

[Page 23]

To help businesses determine if a disclosure or notification is required, Assembly Bill 964 looks to help clarify the difference between "encrypted" and "unencrypted" by deeming personal information to be "encrypted" if it is rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.

Effective Date: January 1, 2016

Assemb. B. 964, 2015-2016 Reg. Sess., 2015 Cal. Legis. Serv. ch. 522 (West). The full text of Assembly Bill 964 is also available at http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201520160AB964.

Senate Bill 570 (2015-2016 Reg. Sess.) (Jackson) - Personal Information: Privacy: Breach.

This bill amends sections 1798.29 and 1798.82 of the Civil Code. On October 6, 2015, Governor Jerry Brown signed Senate Bill 570 into law to provide a model security breach notification form in the event of a data security breach involving computerized data that includes unencrypted personal information that was, or is reasonably believed to have been, acquired by an unauthorized person.

Security breach notifications must now be titled "Notice of Data Breach" and should present relevant notification information under the following prescribed headings: "What Happened," "What Information Was Involved," "What We Are Doing," "What You Can Do," "Other Important Information," and "For More Information."

Effective Date: January 1, 2016

S.B. 570, 2015-2016 Reg. Sess., 2015 Cal. Legis. Serv. ch. 543 (West). The full text of Senate Bill 570 is also available at http://leginfo.legislature.ca.gov/faces/ billNavClient.xhtml?bill_id=201520160SB570.

Senate Bill 178 (2015-2016 Reg. Sess.) (Leno) - Privacy; Electronic Communications: Search Warrant

This bill adds chapter 3.6 (commencing with section 1546) to the Penal Code. On October 8, 2015, Governor Jerry Brown signed the California Electronic Communications Privacy Act (CalECPA, Senate Bill 178) into law. The new act (the "Act"), which applies to governmental entities seeking electronic information (e.g., from service providers), updates California privacy protections to focus upon the proliferation of digital data, including email, text messages, and cell phone records. The Act limits the government's right to compel the production of or access to electronic communication or device information from a person other than the authorized possessor of the device absent a warrant, a wiretap order, an order for electronic reader records, or a subpoena.

Physical interaction with an electronic device by the government is also limited to warrant, wiretap order, specific consent of the authorized possessor, specific consent of the owner of the device when it has been reported lost or stolen, good faith emergency involving death or injury, or where the government entity in good faith believes the device to have been lost, stolen, or abandoned, but then only to attempt to identify, verify, or contact the owner. The Act also specifies additional requirements for a warrant issued under the Act and gives the courts additional discretionary limitations upon granting any such warrant, as well as providing for notice to the identified targets of the warrant where such an order is sought or issued.

The Act establishes evidentiary objections to support a motion to suppress evidence obtained or retained in violation of the Fourth Amendment to the U.S. Constitution or the Act and gives enforcement authority for the Act to the Attorney General. The Act allows any person whose information is sought to petition the issuing court to void or modify the order. Importantly, the Act also provides that neither a...