Friday, September 11, 2009

Important Security Breach Bill Moves on to Governor Schwarzenegger's Desk

Similar to my post on Wednesay, another important privacy bill that we (CFC) have vigorously supported this year is on its way to the Governor's desk! In contrast to AB 943 (Mendoza), we are fairly confident (unsure with AB 943) the Governor will sign SB 20 (Simitian) - a bill that would amend and improve California's landmark security breach notification law.

Signifying the importance of this legislation to privacy advocates and consumer groups was it's inclusion - along with AB 943 - in a letter from nine consumer rights organizations outlining legislative priorities during the final month of the 2009 session.

Signing the letter were CALPIRG, California Alliance for Retired Americans, Congress of California Seniors, Consumer Action, Consumer Federation of California, Consumers for Auto Reliability and Safety, Consumers Union, Older Women’s League of California, and Privacy Rights Clearinghouse.

Before I get to the article reporting the good news about SB 20, let me remind readers why CFC supports it so strongly:

The bill would amend California's security breach notification law stating that any public agency, person or business required to issue a security breach notification to more than 500 residents must submit the notification electronically to the Attorney General.

This measure also requires that the notification be written in plain language and include contact information regarding the breach, the types of information breached, and the date, estimated date, or date range of the breach.

Additionally, SB 20 would amend the substitute notice provisions of California's security breach notification law to require that an entity providing substitute notice also provide notice to the Office of Information Security and Privacy Protection.

California’s current security breach notification law does not require public agencies, businesses, or persons subject to that law to provide any standard set of information about the breach to consumers.

As a result, security breach notification letters often lack important information - such as the time of the breach or type of information that was breached - or are confusing to consumers.This leaves consumers uncertain about how to respond to the breach or protect themselves from identity theft.

SB 20 makes relatively modest but helpful changes to the current security breach notification statutes to enhance consumer knowledge about, and understanding of, security breaches.

Now to the good news from the California Chronicle:

SB 20 builds on previous legislation authored by Simitian, AB 700 (2002), which required any company or business that loses unencrypted personal information to send a security breach notification letter to consumers whose privacy was compromised. In the years since Simitian´s original privacy protection law, the measure has been widely praised, and more than 40 states have adopted similar legislation.


"Experience over the past half dozen years indicates that too often the information received is confusing, not clarifying," said Simitian. "SB 20 ensures that notice of a security breach will be genuinely helpful to consumers," he said. "No one likes to get the news that information about them has been stolen," said Simitian, "but when it happens, people are entitled to get a letter that helps them decide what to do next." SB 20, according to Simitian, "is designed to make a good law even better."


"Identity theft is a difficult problem to deal with," said Richard Holober, Executive Director of the Consumer Federation of California, a consumer rights advocacy organization, which included Simitian´s SB 20 as one of its pro-consumer legislative priorities. "We're confident that SB 20 will help make a complicated situation easier for consumers, and we urge the Governor to sign it into law."

Click here to read more.

No comments: