Thursday, October 1, 2009

California's Landmark Privacy Law Deserves an Update

For the sake of full disclosure, I'm going to use the op-ed written by our (Consumer Federation of California) Executive Director Richard Holober about SB 20 (Simitian) as the template for today's post. There's no reason for me to re-invent the wheel when we just had an op-ed published in the Santa Cruz Sentinel.

As some of the readers of this blog might remember, CFC worked hard to ensure SB 20 - a bill that would amend and improve California's landmark security breach notification law - won passage through the Legislature. The good news is it did, overwhelmingly. Now the bill's fate lies in the pen of Governor Schwarzenegger...who we now are lobbying hard to sign it.

Thankfully, this piece of legislation has been receiving a fair amount of attention in the press, hence my post today. So, once I finish laying out the main points of CFC's op-ed on the bill, I want to get to an informative Q&A with the legislation's author - Senator Joe Simitian.

As our Executive Director recently wrote:

There's an old joke that goes like this: What's worse than finding a worm in your apple? Finding half a worm in your apple. This is not unlike having your personal information lost or stolen. Let me explain. If you are one of the many Californians who had your confidential information compromised in a security breach, you probably found out by receiving a letter in the mail.

After reading it, you were probably quite upset. But trust me: like the worm in the apple, it's better to know sooner rather than later. As consumers, we depend on corporations and government agencies to protect the security of our most intimate financial data. Unfortunately, the number of people who suffer privacy breaches is staggering.

According to the Privacy Rights Clearinghouse, at least 263 million sensitive records have been exposed nationwide since 2005. These privacy lapses open the door to identity theft. Yet until 2002, no state in the nation required businesses and agencies that lost your personal information to let you know about it.

That's when state Sen. Joe Simitian then an assemblyman authored AB 700, which requires any business or state agency that exposes your personal information to send you what's known as a security breach notification letter. This law played a major role in highlighting the extent of the problem -- information businesses had preferred to keep under wraps.

This year, Sen. Simitian is back with SB 20, a bill now on its way to the governor's desk. If signed, it would provide an important upgrade to California's landmark privacy protection law. SB 20 spells out which key details must be included in that notification letter, and would make sure the attorney general hears about the breach.

Notification letters empower consumers to better monitor their accounts for evidence of identity theft, and to take concrete steps that make identity theft less likely. Those steps range from freezing your credit report to simply alerting your bank that a breach occurred.Requiring these details also creates a strong incentive for companies and state agencies to be careful with your information. No one wants their signature at the bottom of that notification letter.

It won't come as a surprise to anyone that technology puts our private information, from social security numbers to medical files, at risk. The exponential growth of electronic records -- while beneficial in many respects -- makes breaches more likely and far more severe. Losing a filing cabinet with 500 records is difficult. Losing a laptop with 5 million records is all too easy. For this reason, laws such as Sen. Simitian's have become standard practice across the country. More than 40 states now require security breach notification.

Privacy notification laws won't stop every security lapse from happening. But they will make businesses and agencies take more precautions to safeguard their data files. And if you ever do get that dreaded letter in the mail, you'll be able to do something about it -- before there's only half a worm in your apple. As the tally of victims grows, so must our commitment to strengthen privacy protections.

That's why the Consumer Federation of California and a host of other consumer advocates across the state are asking Gov. Schwarzenegger to sign Sen. Simitian's SB 20. California's landmark privacy law deserves his support.

Now let's get to the author of this legislation himself, Senator Joe Simitian, and his interview in Compliance Management News:

What does SB 20 bring to the data breach discussion?

Simitian: It's about to what extent you want to be prescriptive, and to what extent do you want to provide flexibility. The RSA folks' view was that the security breach law is elegant in its simplicity because we don't tell you that you have to meet this standard. We say, "Look, here's the deal, if it doesn't go well, there are consequences, so you figure out how you want to avoid those consequences."

One of the critiques of the law is that it doesn't set a specific time period, or say all reasonable speed. [In SB 20] there is a healthy tension between specificity and flexibility. On the issue of notice we want to be able to describe what the notice should look like. In about 25 to 30 percent of the notices that go out, you'd be hard-pressed if the recipients knew what it is someone is trying to communicate or not communicate. A little bit of specificity on what the essential elements of an effective notice might include would in fact be helpful, and helpful not only for consumers -- who need to get a notice they can read and understand and use to make judgments about what to do -- but also helpful to businesses, who want to know if they've complied with the law. A little bit of specificity is not too prescriptive. It's actually helpful to both businesses and consumers, and I think we struck the right balance with SB 20.

It's in Gov. Schwarzenegger's hands now. Do you think he is going to sign it?

Simitian: I do. We put in an amendment late in the process to eliminate opposition so I am optimistic about a signature, and at this point there's no formal opposition that I'm aware of. We had opposition from the insurance and financial services industry. There was one last requirement that ultimately I decided to remove from the bill to eliminate the opposition. The bill, in its not-quite-but-almost-final form, required disclosure of the number of individuals whose data had been breached. We got strong pushback on that. I thought it was a reasonable requirement but ultimately I did not want to put the entire bill at risk for one condition.


How successful do you think this has been? Are you preventing breaches?

Simitian: I think that's counterintuitive. I think it's been tremendously successful, which I think is hard for most people to conclude with the number of breaches we read about on a seemingly daily basis when you pick up the paper. What I tell people is we will never know how many we would have read about if it had not been for the passage of such a law. What we are seeing now I think is likely only the tip of the iceberg all those years ago, and you had no way of knowing. The joke is that [I am] the best friend security professionals ever had because all of a sudden people and companies who did not take security seriously a decade ago take it very seriously today because there are consequences, and that's the beauty of the law.


Were you surprised or did you notice that though this is one of your big issues along with water and the environment, that more than 100 people in an hour-and-a-half town meeting, none of them asked about data privacy?

Simitian: No, I wasn't surprised, though I think the privacy issue is a sleeping giant. I continue to be troubled by the extent to which our privacy rights slip away almost without notice. As an example, we have this FastTrak [toll system], and that uses an RFID technology. So if you are driving over the Golden Gate Bridge into San Francisco from Sacramento, you see a sign that says it's 22 minutes to get to the San Francisco airport. But how do they know that? They know it because somebody's tag got read at the bridge, and thought they were just being read to pay the toll, and got read at the airport. I don't think people have given that a moment's thought. In fact, those records have been subpoenaed in civil cases, by the wife who wanted to know if her husband was really where he said he was when he was there.

Click here to read the interview in its entirety.

Since Senator Simitian - a true privacy rights hero in the legislature - mentioned Fastrak and its use of RFID technology, I'd be remiss not to link you to a post I did on that very issue last year.

As for SB 20, we are all eagerly awaiting news regarding the Governor's decision. If you are a member of an organization that supports this bill, please do not hesitate to use our support letter to the Governor as a template for your own.

No comments: