California Privacy Bills Reach Governor's Desk, One Signed Already

The Consumer Federation of California has been tracking and supporting a number of privacy related pieces of legislation this year. I'm pleased to report that last week three of them passed out of the legislature with one already being signed into law. 

SB 24 - Signed by Governor

SB 24 (Simitian) - a security breach notification bill - was one that we, and a host of other privacy advocates fought to enact for the last four years running, and in each instance was vetoed by then Governor Arnold Schwarzenegger. Thankfully, our luck finally turned with Governor Brown's signature last week. 

As detailed in a recent op-ed by CFC's executive director, if you are one of the many Californians who had your confidential information compromised in a security breach, you most likely found out by receiving a letter in the mail. After reading it, you were probably quite upset, but confused about what you should do about it. SB 24 will help consumers make sense of these notices, and help arm us to stop identity theft. Security breaches since 2005 exposed at least 500 million personal records of Americans, according to the Privacy Rights Clearinghouse. Some breached records contained sensitive data such as social security numbers, bank or credit card numbers or medical information.

Sony, Citibank, and the Bay Area Rapid Transit District are recent examples of businesses and government agencies whose customers’ records were stolen by hackers. Just last week it was revealed that 300,000 Californians’ intimate medical records, along with their social security numbers, were viewable for months to anyone with an internet connection, owing to an insurance processing business’ failure to safeguard its electronic data files. 

SB 24 will provide an important upgrade to California's landmark breach notification law. It spells out which key details must be included in that notification letter, and would make sure the Attorney General hears about the breach.  If a social security number or drivers license was exposed, the notice letter explains how to contact major credit agencies. That’s especially important, because it empowers consumers to better monitor their accounts for evidence of identity theft, and to take concrete steps to prevent identity theft, including freezing your credit report.

Requiring these details also creates a strong incentive for companies and state agencies to be careful with your information. No one wants their signature at the bottom of that notification letter. It won't come as a surprise to anyone that technology puts our private information, from social security numbers to medical files, at risk. The exponential growth of electronic records -- while beneficial in many respects -- makes breaches more likely and far more severe.

Losing a filing cabinet with 500 records is difficult. Losing a laptop with 5 million records is all too easy. For this reason, over 40 states have adopted security breach notice laws modeled on California law. Privacy notification laws won't stop every security lapse from happening. But they will make businesses and agencies take more precautions to safeguard their data files. And if you ever do get that dreaded letter in the mail, you'll be able to do something about it. 

SB 602 (Yee) - Reader Privacy Act - Awaits Governor's Decision 

The privacy threats posed by the explosion of digital books, which will store data that can include books browsed, how long a page is viewed, and even the electronic notes written in the margins. It's not hard to see the detailed portrait this could paint of your life. Thankfully, this concern is finally being addressed by SB 602 (Yee) -  which would provide important privacy protections for digital book readers. Even better, the bill passed the legislature last week and now awaits the Governor's decision.

Without such legislative protection, you can imagine how tempting this information could be to the government or other litigants, like those involved in divorce cases, custody battles, or insurance disputes.

In the case of digital books, we're not talking about just another library - librarians utilize a different standards for dealing with user information than does the online world. Many libraries routinely delete borrower information, and organizations such as the American Library Association have fought hard to preserve the privacy of their patrons in the face of laws such as the U.S. Patriot Act.

Senate Bill 602 (Yee) would update privacy protections in the digital age by preventing the disclosure of information about readers from booksellers without a warrant in a criminal case or a court order in a civil case. It also requires booksellers to report the number and type of requests they receive to track government demands for reader information. Without such protections, we're talking about a virtual one-stop shop for government and third party "fishing expeditions into the personal details of our lives." 

SB 914 (Leno) - Police Search of Smart Phones - Awaits Governor's Decision

The next bill addresses the current loophole in California that essentially allows police, without a warrant, to seize and search individuals smart phones or androids like they do a traditional cell phone. Its not hard to see why they should in fact be treated differently, being that modern cell phones are becoming more like all purpose computers than just phones, and therefore contain ALL KINDS of personal, private information the authorities have no right to without a warrant.

The problem is that in California, a privacy rights leader I should add, does not provide citizens with such protections. In fact, California's top court ruled against privacy in a case involving a 2007 arrest of someone who had purchased drugs from a police informant. Investigators later looked through the individuals phone and found text messages that implicated him in a drug deal. The suspect appealed the conviction, saying the evidence was gathered in violation of the Fourth Amendment, which prohibits unreasonable searches and seizures.

The justices disagreed: "The cell phone was an item (of personal property) on the person at the time of his arrest and during the administrative processing at the police station. Because the cell phone was immediately associated with defendant’s person, (police were) entitled to inspect its contents without a warrant." 

But the court went further - comparing the cell phone to personal effects like clothing. Worse, it argued that it wasn't because the police had a particular right in this particular case, or there was some special exception that allowed such a search, but rather, it argues that no exception was even necessary. In other words, this case was not an exception, but rather the NEW rule: cell phone records are now of little difference than the shirt on your back if you've been arrested. This is a deeply disturbing precedent if it holds. 

As State Senator Mark Leno wrote, "If you like to attend political rallies, parades, protests or sit-ins, you might consider leaving your cell phone at home in the unlikely event arrests are made. A recent California Supreme Court decision allows police to rummage through all of the private information on your smart phone as part of an arrest, including your text messages and e-mails. This warrantless search is now legal in California, regardless of whether the information on the phone is relevant to the arrest or if criminal charges are ever filed.

 ... 

Earlier this year I introduced a bill that would protect Californians against the Supreme Court decision allowing warrantless searches of the private information contained in portable electronic devices, including cell phones. Senate Bill 914 clarifies that an arrestee’s cell phone can only be accessed with a warrant, except in circumstances where there is an immediate threat to public safety or the arresting officer. It acknowledges that accessing information on a cell phone is fundamentally different than searching an arrested person’s wallet, cigarette pack or jeans pockets.

While SB 914 provides critical privacy safeguards for Californians, these protections are not new. Until the California Supreme Court decision earlier this year, state and local police correctly assumed that the state’s constitutional privacy protections prohibited warrantless searches of cell phones during an arrest. In addition, the Ohio Supreme Court has ruled that cell phone searches require a warrant, and federal law enforcement agencies also abide by the warrant protocol.

In most cases, searching a cell phone immediately during an arrest is an extraordinary measure. Once an arrest is made and the arrestee’s belongings are confiscated, a warrant for a cell phone search can be obtained if it is important to a criminal case. SB 914 will help ensure that a simple arrest – which may or may not lead to charges – is not used as a fishing expedition to obtain a person’s confidential information. 

Read more here.

All in all, its been a pretty good week on the California privacy front. I'll be back with information on SB 601 and SB 914 once we get a decision from the Governor.