Interview with Ryan Barker

April 2005

Interviewee: Ryan Barker, Chief Privacy Officer of Privacy Council. Privacy Council provides cost efficient, practical and high quality privacy and data protection products and services for business and government organizations.

By: Terry McQuay, President of Nymity

Subject: California's new privacy laws and the impact they may have on Canadian organizations with operations in California

Nymity: Please introduce yourself and Privacy Council.

Barker:  I’ve been working in the privacy field fulltime for the last six years. In 1999, I was asked if I was interested in managing a privacy assessment project at Novell, Inc. At the time I was the law clerk for Novell’s litigation attorney. I didn’t know much about data privacy, but I thought it sounded like an interesting project to be a part of. I’ve been doing it ever since, now as CPO and consultant at Privacy Council.

Nymity: What are some of the latest privacy laws in California?

Barker:  California is leading the way in providing privacy protections to consumers in the United States. They have many privacy laws covering issues like online privacy, identity theft, health information, and unsolicited communications. One of the most recent laws to take effect is the Information-Sharing Disclosure law (SB 27 (2003)). It’s also known as the “Shine the Light” law. It took effect on January 1, 2005 and requires business and non-profits to designate a contact point for privacy inquiries by California customers about data sharing with third parties for their own marketing purposes. According to the law, organizations must provide a notice and cost-free opt-in/opt-out in response to an inquiry or provide a very detailed explanation of such disclosures.

The Security of Personal Information law (AB 1950 (2004)) also went into effect on January 1, 2005. It’s the country’s first non-sector specific information security law. This law imposes a duty on businesses and non-profits to implement and maintain reasonable security procedures and practices to protect sensitive personal information. Additionally, when disclosing personal information to a third party, contracts must be in place requiring the third party to implement security procedures and practices. The law applies to personal information about a California resident when the resident’s name is combined with information such as social security number, driver’s license number, or financial account numbers of access codes.

Other important California privacy laws that went into effect over the last 2 years are the Notification of Security Breach Law (SB 1386 (2002)) which took effect on July 1, 2003, the Online Privacy Protection Act of 2003 (AB 68) which took effect on July 1, 2004, and the Financial Information Privacy Act (SB 1) which also took effect on July 1, 2004. California’s Notification of Security Breach law was drafted in response to the growing problem of identity theft and requires organizations to notify any California resident whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The type of information that triggers the notice requirement is an individual's name plus one or more of the following: Social Security number, driver's license or state ID card number, or financial account numbers. Once notified, affected individuals can then take steps to protect themselves from identity theft.

The Online Privacy Protection Act of 2003 requires all owners or operators of commercial web sites or online services that collect personal information on California residents through a web site to conspicuously post a privacy policy on the site and to comply with its policy. The privacy policy must, among other things, identify the categories of personally identifiable information collected about site visitors and the categories of third parties with whom the operator may share the information.

The Financial Information Privacy Act (SB 1) prohibits financial institutions from sharing or selling personally identifiable nonpublic information without obtaining a consumer's consent. It also provides for a plain-language notice of the privacy rights as required by the law. SB 1 is the strictest law on the books in all 50 states and is not preempted by the passage of FACTA.

Nymity: Who provides oversight for these laws?

Barker: It depends. For example, SB 1, the Financial Information Privacy Act is enforced by California’s state financial regulators and by the Attorney General. Most privacy laws are codified in the California Civil Code, with no specific administrative agency having oversight. Therefore, the laws are generally enforced by the State Attorney General and/or County District Attorneys, either through statutory remedies associated with specific laws or through the state's unfair competition statute.

California is the first state to have an agency dedicated to promoting and protecting the privacy rights of consumers. The Office of Privacy Protection was created as a result of legislation enacted in 2000. During the 2003-2004 fiscal year the Office responded to close to 6,000 calls and emails regarding consumer issues such as identity theft, business practices and spam. While the Office does not enforce California’s privacy laws, the Office assists individuals with privacy-related concerns and educates consumers. The Office also recommends policies and practices that organizations should follow to better protect individual privacy rights. Privacy Council participated in drafting the Recommendation Practices Guide for SB 27 and AB 1950.

Nymity: Do these laws have impact companies that have California customers, but no physical presence in California?

Barker: Most definitely yes! For example, a company with 20 or more employees that has an established business relationship with a California resident must comply with the “Shine the Light” law when sharing customer information with a third party business for the third party’s own marketing purposes. It doesn’t matter where the company is based. There are a few exceptions, but for the most part, as long as you have at least one customer who resides in California, you are covered by this law. The law is not limited to business relationships that occur only or entirely in California – it applies to business relationships that occur online, by mail, by phone, or by fax.

Additionally, the recent activities surrounding ChoicePoint perfectly underscores how California privacy laws are affecting companies no matter where their customers reside. ChoicePoint revealed last month that alleged identity thieves had duped the company into selling the names, addresses and Social Security numbers and other data on tens of thousands of people. As a result of California’s Notification of Security Breach law, ChoicePoint ended up notifying not only over 34,000 Californians, but also over 110,000 individuals from other states.

ChoicePoint has also suspended some sales of consumer information to small businesses. This move will reduce its revenue in 2005 by $15 million to $20 million. The company's stock has dropped more than 17% since the personal information breach was announced February 15th. Shareholder lawsuits have begun to roll in, which will impact future earnings with a combination of legal fees, settlement offers, and jury verdicts. The Federal Trade Commission has begun investigating the company for failure to protect its data adequately. ChoicePoint also said it will incur incremental expenses related to the customer fraud, including $2 million for bureau reports and monitoring service for affected consumers identified to date. Finally, the SEC has started its own investigation into massive insider selling by ChoicePoint's CEO between the time management learned of the security breach and the time it informed the public. At this point, it is difficult to fully estimate what expenses ChoicePoint will incur for legal, consulting and other operating items.

You will see other states implement laws very similar to California’s laws. As some people say, “Where California goes, there goes the rest of the nation.”

Nymity: What was the motivation for these laws?

Barker: I believe a number of issues motivated the creation of these laws. Things like identity theft and consumer’s desire for openness regarding how organizations collect, use, share and secure their personal information. Also new technology, which increased the potential risk that data may be accessed or used inappropriately and consumer’s irritation over their information being transferred to third parties without their permission or used for marketing purposes without the opportunity to opt-out. Additionally, California’s always been known as a progressive state. They aggressively go after consumer issues like privacy.

Nymity: What are the penalties for non-compliance?

Barker: Information-Sharing Disclosure - Customers are entitled to recover a penalty of up to $500 per violation, as well as reasonable attorneys’ fees and costs. For each willful, intentional, or reckless violation, organizations can be fined up to $3,000 per violation. The law does not preclude class action enforcement.

Financial Information Privacy Act - An entity that negligently discloses or shares nonpublic personal information in violation of this law is liable, irrespective of the amount of damages suffered by the consumer as a result of that violation, for a civil penalty of no more than $2,500 per violation. If the disclosure or sharing results in the release of nonpublic personal information of more than one individual, companies can be penalized up to $500,000.

Security of Personal Information - Any customer injured by a violation of this title may institute a civil action to recover damages. For a willful, intentional, or reckless violation of this law, a customer may recover a civil penalty up to $3,000 per violation. If the violation is not intentional or reckless, the customer can recover a civil penalty of up to $500 per violation.

Notice of Security Breach – This law does not include specific details on penalties or fines. However, it does mention that customers injured by a violation of this title can institute a civil action to recover damages.

Nymity: What are organizations doing to comply with these legislation?

Barker: Organizations should be making the appropriate changes in their information management practices to ensure compliance with California’s privacy laws. This means updating privacy policies and ensuring they are conspicuously posted online, assessing the security safeguards in place to protect personal data, and drafting procedures and guidelines detailing how the company will respond if information privacy or security is breached.

Nymity: What is recommended for Canadian organizations with operations/customers in California?

Barker: Gain a good understanding of the laws that have been enacted in California. Identify if you have customers or operations located in California. Ensure executive management understands the risks associated with doing business in California. Assess your privacy and security policies and procedures to verify whether they comply with California’s requirements. Close any gaps you find and remediate risks. Educate and train your employees on California’s privacy and security requirements and monitor your organizations practices to ensure ongoing compliance.

Nymity: In closing, how can you help a Canadian organization with these recommendations?

Barker: Since 1998, Privacy Council has been helping organizations identify information management opportunities, make privacy a competitive advantage, and comply with privacy and security regulations and laws. We do this by:

• Conducting regulatory compliance assessments
• Creating and/or reviewing privacy-related policies
• Identifying data flows and architecture
• Scanning Web sites using our Privacy Scan technology
• Planning and reviewing global data transfers
• Developing privacy procedures and strategies
• Developing privacy requirements for IT systems
• Conducting training sessions and presentations
• Implementing privacy monitoring programs

For further information, visit Privacy Council.