California Eyes Stronger Privacy LawSchwarzenegger to Decide Fate of Breach Notification Bill
Senate Bill 1166 strengthens the existing data breach notification rules when personal information is breached. The bill was authored by Sen. Joe Simitian, D-Palo Alto. The state legislature voted to pass the bill on August 19.
Current notifications of data breaches vary widely in the information they provide and in their helpfulness to individuals who are affected. California, with the adoption of California Senate Bill 1386 in 2003, was the first state to require data breach notification. A total of 44 states now have laws requiring data breach notification when their residents' data is compromised.
The existing California breach law, also authored by Simitian in 2002, requires businesses and state government agencies to notify victims when their data has been breached. The new bill would add more muscle to California's already strong data breach notification law, which is seen as the foundation of data breach laws in the nation. The new measure takes the additional step to specify what information must be included in the data breach notification.
The chances of this bill making it into law aren't clear, though, as Schwarzenegger vetoed a similar bill last fall.
Senator Simitian says he has worked closely with the governor's office to bring this bill back in 2010, and has heard nothing of any drawbacks to keep it from being signed. Simitian says he reintroduced the vetoed bill with a slight amendment because he sees the need for standardized information getting into the hands of victims.
Simitian says he is "cautiously optimistic that this version of the bill will be signed into law." The one glitch that may prevent Schwarzenegger from signing it before the end of September would be the budget woes that face the state. Last year's version of the bill met with a veto because of the state's budget problems, along with many other bills that were vetoed for the same reason, Simitian says.
Should the bill be signed, the law would require standard content of the data breach notification to include:
- A general description of the incident;
- The type of information breached;
- The date and time of the breach;
- A toll-free telephone number of major credit reporting agencies for security breach notices in California.
The law would also make public agencies, businesses and people subject to California's security breach notification law send an electronic copy of the breach notification to the Attorney General, but only if more than 500 Californians are affected by a single breach.
Linda Foley, co-founder and executive director of the Identity Theft Resource Center, says, if passed, this bill would help spur further reporting of data breaches, as the problem of underreporting of data breaches is thought to be high. "The only thing that underreporting or hiding breaches is doing is allowing criminals to do the same thing to other businesses without law enforcement becoming aware and investigating them," says Foley. This bill could also help law enforcement see the "bigger picture" when it comes to data breaches, developing patterns and practices in connection with identity theft.