On Monday, June 25 at 8 A.M. Pacific, attorney Lily Li appeared as a guest star on KUCI 88.9 FM’s Privacy Piracy radio show. During the half-hour segment, Ms. Li discussed the impact of the recent General Data Protection Regulation, growing developments in state privacy regulation, and the California Consumer Privacy Act.
To listen to this broadcast, please click on the MP3 below.
KUCI 88.9 FM is a commercial free radio station, based out of the University of California – Irvine. For more information, see http://kuci.org/
Privacy Piracy is a half-hour public affairs radio show broadcasting on KUCI 88.9 FM. The show is co-hosted by attorney and privacy consultant Mari Frank and production engineer Lloyd Boshaw. For more information, see http://privacypiracy.org/
As Californians gear up to vote in this week’s primary elections, the state’s businesses and voters should be aware of two separate privacy law developments: SB-1121 and the Consumer Privacy Act.
SB-1121 and Increased Liability for Data Breaches
On May 30, 2018, the California Senate recently voted to send SB-1121 to the state Assembly. The proposed amendment to the state’s current data breach laws (codified at Sections 1798.80-1798.84 of the Civil Code) would increase corporate liability for data breaches. The key provisions are as follows:
California “consumers,” not just “customers,” will be able to sue businesses under California’s data-breach protection laws. Under the existing rules, a California resident can only sue a business for a data breach if it provided information to the business for the purpose of buying products or services. This amendment would cover all businesses that maintain the personal data of California residents, regardless of the relationship between the business and the resident. The expansion of liability to consumers is in part responsive to the Equifax hack. In that situation, the credit agency reported that the records for about 148 million Americans were compromised, but very few of those people would be considered “customers” of Equifax.
California residents will be able to sue for a minimum of $200 in penalties per violation, without proof of consumer injury. This poses the risk of large-scale consumer class actions, for even minor data breaches, even where no one was harmed by the breach.
SB-1121 sets a 4-year statute of limitations “from the time the person discovered, or, through the exercise of reasonable diligence, should have discovered” a data privacy violation.
[Originally published as the May 2018 Cover Story: Data Privacy and the Law – American Privacy Laws in a Global Context: Predictions for 2018, by Lily Li, in Orange County Lawyer Magazine, May 2018, Vol. 60 No.5.]
Cybersecurity Attacks Are Inevitable
Cybersecurity attacks are on the rise. According to the non-profit organization, Identity Theft Resource Center, there were over 1,579 publicly reported data breaches in 2017, compared to 1,091 in 2016, and 780 in 2015. Not only are these cyberattacks happening at high-profile companies like Equifax, Uber, and Yahoo, they are increasingly happening to businesses of all sizes. Any entity able to pay a ransom is now a potential target.
Law firms are no exception. In 2017, DLA Piper was hit with a “wiper-ware” attack, following previous email hacks of Cravath and Weil Gotshal in 2016. Earlier this year, UK-based cybersecurity firm, RepKnight, reported that almost 800,000 UK law firm email addresses and affiliated passwords were available on the dark web, with over 50% of these credentials posted in the last six months. These law firms did not just include local UK firms, but global law firms with a UK presence.
Given these alarming statistics, what should legislators do?
In the EU, Canada, and China, legislators have decided to develop and implement national data privacy and cybersecurity frameworks: GDPR, PIPEDA, and CSL respectively. The United States, by contrast, still relies upon a patchwork of sectoral laws and inconsistent state rules. This article will take a brief look at developments in the EU, Canada, and China, discuss the current United States privacy framework, and predict likely developments in U.S. privacy law over the next year.
[Originally published by Lily Li in the Spring 2017 Orange County ABTL Report]
Humanity has long imagined self-aware computers that can pilot our vehicles, purchase goods, and even sing songs for us, whether as the malevolent Hal in 2001: A Space Odyssey or the spunky Samantha in Her. Though fully sentient artificial intelligence is still science fiction (as far as we know), computer software has become “smart” enough to converse with us through text-based services like Facebook messenger, WhatsApp, or WeChat, or voice-operated services like Amazon’s Alexa or Apple’s Siri. As more e-commerce transactions are completed via these “chatbots” or “chatterbots” and away from browser-based websites, this begs the question: Will courts enforce the Terms of Service for chatbot contracts when the terms no longer appear on the same page – or even the same medium – as the transaction itself?