April 2015

On April 23, 2015, Washington State Governor Jay Inslee signed into law a bill strengthening the state’s data breach notification law (amending Wash. Rev. Code §§ 19.255.010 and 42.56.590 and creating a new section). H.B. 1078 makes the following substantial changes to the existing law:

  1. Under the current law, businesses and agencies that own or license computerized data including personal information about a Washington resident must disclose any breach in the security of the system involving such personal information that is unencrypted. H.B. 1078 expands this requirement to include:
    • both computerized and hard copy data that contain personal information that is not “secured;” and
    • encrypted information when the person gaining unauthorized access to the data had access to the encryption key or an alternative means of deciphering the “secured” data. The amendment also provides a standard for encryption.

In the largest ever data security enforcement action taken by the Federal Communications Commission (FCC), AT&T agreed to pay $25 million to resolve an investigation into consumer privacy violations at its call centers in Mexico, Colombia, and the Philippines. The FCC announced the settlement on April 8, 2015, stating that phone companies are expected to “zealously guard” their customers’ personal information and encouraging the industry to “look to this agreement as guidance.”

The past few years have seen exponential growth in the use of technology in the classroom, with applications ranging from the increased availability and use of e-books to the displacement of physical classrooms through Massive Open Online Courses (also known as MOOCs). One of the fastest growing segments of the education technology market relates to online educational services and applications, which are designed to track individual student progress and use the data gathered to deliver an individualized learning experience to each user. However, while online educational services and applications hold significant potential, the gathering of massive amounts of data has also sparked fears about what data will be collected, from whom, how it will be used, and whether, if at all, it will be deleted. This fear is especially prevalent when it comes to online educational services and applications targeted at children.

Last week, Australia became the latest country to pass a mandatory data retention law. The Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015, which amends Australia’s Telecommunications (Interception and Access) Act 1979, requires telecommunications and Internet service providers (ISPs) to store customer metadata for two years. This means that Australian ISPs and telecom providers will have to store data associated with electronic communications, such as the names and addresses of account holders, the names of the recipients of any communications, the time and duration of communications, the location of equipment used to make the communication (such as cell towers), and computers’ IP addresses. Although the law does not require ISPs and telecoms to store the contents of customers’ electronic communications, metadata still can provide a picture of an individual’s identity, interests, and even location, which makes it of great interest to law enforcement and national security agencies seeking to prevent crime and terrorist attacks. Indeed, the law was promoted as a national security measure designed to give law enforcement access to information that could allow them to prevent terrorist attacks, but its opponents have decried it as a means to subject Australians to mass government surveillance.