The new twist is that the California AG is now expanding CalOPPA to include mobile applications. What may also be surprising to some is that CalOPPA has existed since 2004, but notification of mobile app inclusion began a year ago. Since February 2012, Google, Apple, Facebook, HP, Microsoft, Research in Motion and Amazon have jointly agreed to privacy principles ensuring compliance with CalOPPA. The California AG, Kamala D. Harris, is supported by a state enforcement and protection unit that reaches out to online servicers with warning letters to those found to be out of compliance. The deadline to inform Harris as to when compliance will be met is a brisk thirty days, after which a fine of $2,500 per application download can be levied. Let that one sink-in for a moment - per download. So this is no small sum for even a moderately popular app.
AG Harris states on her website that “Protecting the privacy of online consumers is a serious law enforcement matter“. The enforcement that is now taking place is going to serve as a serious wake-up call to all online service providers that collect information about Californians, i.e. – basically all providers. This is not the first foray into trailblazing concerning privacy originating from California. In 2003, the California Security Breach Information Act became a state law. Commonly known as SB-1386, this law required that owners of any breached sites collecting PII of Californians were responsible for notifying all affected parties. Massachusetts took this concept much further in 2010 with their Data Protection Law (MA 201). The MA 201 law is designed to protect the citizens of Massachusetts by requiring compliance with a set of security standards for “every person who owns, licenses, stores or maintains personal information about a resident of the Commonwealth…”. The law includes language on access control, encryption, firewalls, and awareness training.
So what would drive California and Massachusetts to have detailed security provisions regarding privacy and PII collection? How does this impact my business and are these two the only states of concern? It isn’t as if you are likely to refuse California, Massachusetts or any other state’s (or even country’s) business to avoid complying with these laws. When it comes to addressing data breaches, there are multiple state laws with varying degrees of strictness. In fact, according to the National Conference of State Legislatures, all but four states have security breach notification laws as of August 2012. The likely reason for such impactful state laws is the lack of a clear federal regulation to provide one singular, cohesive and comprehensive set of laws that meet even the minimal requirements of all state laws.
Cybersecurity legislation had an embattled run in 2012 with no resolution. The 113th congress in 2013 is expected to pick up the topic and an Executive Order is likely to be signed this month. Until then, states will continue to prepare legislation that protects their residents’ data regardless of the location of the online services provider. Now that California is touching the third screen with CalOPPA, time will tell how soon other states may follow suit. Now would also be a good time to review your mobile applications and the necessary privacy policies, before your letter arrives.
About the Author:
John Ceraolo is the chief security officer at 3Cinteractive where he directs the organization’s enterprise risk management, business continuity, and information security. Ceraolo has been leading security initiatives within global organizations for over 20 years.