Australia: California Dreaming: your data would be safe and secure, if it was in LA

Last Updated: 17 February 2018
Article by Alexandra Wedutenko and Nick Topfer

Most Popular Article in Australia, March 2018

California's regime for cyber security, privacy and data protection has some useful lessons for Australia.

As the world becomes more integrated, a myriad of laws could now apply to you if you engage in global transactions. Over the past few months, we have looked at developments in privacy and cyber security law in Singapore, China and the EU and compared them to developing law in Australia. Finishing up our world tour, we turn to the US.

The privacy and data protection regime in the US is a patchwork of federal and state law and industry self-regulation. But the state of California has worked to position itself as a leading influence on cyber security regulation and practice. So here we will look in depth at cybersecurity in California and highlight key differences and trends that might have an influence on Australian law.

US framework at a glance

The US legal framework on privacy and cyber security comprises a variety of Federal and State laws as well as best-practice guidelines developed by government agencies and industry groups

The key federal law in this area is the Federal Trade Commission Act (FTC Act). This Act doesn't specifically regulate privacy or data security. Rather it prohibits unfair or deceptive practices for consumer protection. However, these prohibitions have been used as a basis for the FTC to take enforcement action against companies for failing to comply with posted privacy and security policies and for unauthorised disclosure of personal information. So, for example, when the Ashley Madison website experienced a massive data breach in 2014, the FTC took proceedings against Ashley Madison under section 5(a) the FTC Act for a number of contraventions, including for misrepresenting the steps taken to secure customer data.

At the Federal level there are also a variety of industry specific laws dealing with privacy and cyber security, which include:

  • the Financial Services Modernization Act (also known as the Graham-Leach-Bliley Act or GLB Act): this Act regulates collection, use and disclosure of financial information. It applies to financial institutions including banks, securities firms and insurance companies along with other companies providing financial services and products. Primarily the GLB Act limits the disclosure of non-public personal information and in some cases requires providers to give notice of their privacy practices and an opportunity for individuals to opt out of having their information shared;
  • the Health Insurance Portability and Accountability Act (HIPAA): this Act applies broadly to health care providers and related entities and regulates the collection and use of protected health information. It also requires covered entities to provide notice of a breach of protected health information; and
  • the Children's Online Privacy Protection Act (COPPA) and the COPPA Rule: The COPPA Act is intended to increase parental control over information collected by children on line. Using powers granted by the Act, the FTC has created rules that apply to operators of commercial websites and online services (including mobile apps) that are directed at children under 13 and that collect, use or disclose personal information about those children. The Rule also applies to the operators of general audience websites or online services that have actual knowledge that they are collecting, using or disclosing personal information from children under 13. Operators covered by the COPPA Rule must post clear and comprehensive privacy policies, obtain verifiable parental consent before collecting personal information from children and maintain the confidentiality, security and integrity of information collected (among other things). These operators are also prohibited from disclosing children's information to third parties (except where integral to the site or service).

So there are similarities in the GLB and HIPAA Acts compared to (for example) the regulation of personal information and sensitive information in Australia under the Privacy Act 1988 (Cth) - in particular the principles dealing with open and transparent management of information (APP1), notification of collection (APP 5) and use and disclosure (APP 6).

Overseas disclosure

Unlike the Privacy Act, US laws don't expressly regulate commercial operators transferring information outside of US borders. However, the FTC and other regulators have stated that applicable US laws still apply to data after it leaves the US. So, the FTC considers that regulated US entities remain liable for data exported out of the US as well as handling and processing of data overseas by subcontractors

Data security under Californian law

In the absence of general federal laws regarding cyber security, States have had to make their own way, with California leading the charge. California was the first US State to enact a security breach notification law (California Civil Code 1798.82), which it has continued to update as technology has advanced.

The law requires any person or business that owns or licences unencrypted data containing personal information to disclose a security breach to all California residents whose personal information was (or is reasonably believed to have been) accessed by an unauthorised person. If the person or business giving the notification was the source of the breach it must also offer to provide the affected customer identity theft prevention and mitigation services at no cost for at least 12 months. A data breach notification must be given in the most expedient time possible.

Cyber security practices

In addition to notification of data breaches, Californian law specifically requires businesses to take steps to secure data (Civil Code 1798.81.5). This law requires businesses to use "reasonable security procedures and practices" to protect personal information from unauthorised access, destruction, use, modification or disclosure.

This section of the Civil Code doesn't define what "reasonable security procedures and practices" requires. However, the Californian Department of Justice has suggested that, at a minimum, this standard would require compliance with the 20 security controls specified by the Centre for Internet Security's "Critical Security Controls for Effective Cyber Defense". These are described as well prioritized, vetted and supported security actions which can be viewed as constituting a minimum level of security.

Other jurisdictions have followed California's lead with laws prescribing steps to avoid a security breach. For example Massachusetts has enacted regulations prescribing a list of technical, physical and administrative security protocols aimed at protecting personal information which companies must implement into their security architecture and policies (201 CMR 1700).

Security breach notice for critical infrastructure businesses

The California Legislature is currently reviewing a bill (Assembly Bill No. 1359) that would require "Critical Infrastructure Businesses" to give notice of security breaches. A Critical Infrastructure Business is an entity whose business relates to systems or assets (whether physical or virtual) that are so vital to the US that their incapacity or destruction would have a debilitating impact on security, economic security, public health or safety. In particular, the bill requires a Critical Infrastructure Business to give notice to the Californian Office of Emergency Services of any unauthorised electronic access to critical infrastructure controls or acquisition of critical infrastructure information.

California vs Australia - how do they compare on cyber security, privacy and data protection?

There are a couple of key differences between the Californian regime and current Australian law.

Firstly, let's look at data breaches. Australia's new data breach law will come into force in February. It amends the Privacy Act to create a scheme for notification of "eligible data breaches", but the obligation to give a notice is only triggered if the disclosure is likely to result in serious harm. This is a more lenient approach than the Californian scheme which requires notification on acquisition (or a reasonable belief of acquisition) of unencrypted information by an unauthorised person. Arguably the Australian approach creates a perverse incentive for firms to determine that the risk of harm from a data breach doesn't reach the relevant level. The Californian scheme also requires businesses to provide identity theft mitigation at no extra cost to affected persons in certain cases. If the Australian legislature were minded to, this would be one way (other than penalties) to ensure Australian businesses have some skin in the game when it comes to securing customer data.

Another interesting difference relates to security procedures and practices. As noted above, Californian law requires "reasonable" security procedures and practices. This is similar to APP 11 which requires APP entities that hold personal information to take reasonable steps to protect that information from unauthorised access (among other things). However, the Californian requirement is now linked to procedures and practices developed by the Centre for Internet Security. By contrast the requirements under APP 11 are flexible depending on factors such as the entity's size and resources as well as the scope and type of the information held. By providing a minimum standard for compliance the Californian approach could help entities to understand their obligations, and enforcement agencies to administer them.

Finally, we noted that the FTC has used legislation that regulates misleading and deceptive conduct to take action against businesses that don't live up to their policies and public statements on privacy and cyber security. To date, the Australian Competition and Consumer Commission hasn't adopted the same stance in Australia. But, given prohibitions on misleading and deceptive conduct in the Australian Consumer Law 2010 (Cth), there is likely scope of the ACCC to pursue these types of actions against business that collect, hold and disclose consumer data.


Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this bulletin. Persons listed may not be admitted in all states and territories.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
Related Articles
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions