Governor Jerry Brown’s selection of Congressman Xavier Becerra to succeed (now Senator) Kamala Harris as the new Attorney General of California was a surprising move that brings into power in California a seasoned advocate of the economic prosperity of California, but one without a clear track record of privacy law enforcement. Mr. Becerra comes back to California after serving on the powerful House Ways and Means committee, and comes from a background of protecting social security, first and foremost, but also brings with him a strong track record of paying close attention to issues affecting California’s largest economic sectors, including technology, healthcare, and the entertainment industry.
From the outset, Mr. Becerra has stated that privacy is one of his “top priorities” and that “today, more than ever, a strong privacy program, which includes data security, is essential to the safety and welfare of the people of California and to our economy.”
So what does that broad initial proclamation mean? 2016 was an active year in data security regulation and enforcement in California. New laws came to pass regulating privacy in California’s health exchange marketplace, pre-schools and kindergartens, and more. As one example, California amended its data breach notice requirements, including requiring notification to the California Attorney General’s office for any breach of encrypted information only if the encryption key or security credential was also, or reasonably is believed to have been, acquired by an unauthorized person. Further, 2016 saw a large enforcement action settled with Wells Fargo Bank for privacy breaches and consumer notice issues.
But perhaps of most import, in 2016 the attorney general’s office published its long anticipated report on privacy breaches that contained analysis of the data that the office had been collecting since 2012. This report chronicles 657 breaches and provides a roadmap for the industries that will receive the heaviest scrutiny: retail, financial services, and health care. Mr. Becerra, unlike his predecessor, now has mountains of data on data breaches in California, and likely will use this to enforce California’s privacy laws under the mantle of consumer protection.
One additional point to focus on with the new attorney general is California’s likelihood of continuing to provide stronger protections and regulations in the face of retreating federal standards. For example, a recent law in California provides additional security provisions as part of California’s “safe at home” program. These new provisions protect the identities and even otherwise publicly available information, such as real property records of any individual who is a patient, employee, or volunteer at a reproductive health care clinic, among other protected categories. Clearly this new law is intended to bolster the privacy rights of recipients of reproductive health care, and is one example of specific areas that the attorney general is likely to target with regard to privacy protections in the face of a changing federal landscape. As Mr. Becerra gets more involved in this field, we will provide updates on enforcement actions and statements from the new California Attorney General in the months to come.