Wednesday, October 14, 2009

Governor Schwarzenegger Vetoes Four Important Privacy Bills

I'm a little bit shocked, and obviously very disappointed, that the Governor vetoed all four of the privacy bills that we were advocating on behalf of that were still on his desk until the final few days of this year's session. All but one of these bills achieved overwhelming support in the legislature and had little to no formal opposition (except AB 943).

It was for these reasons that, outside of AB 943 (Mendoza), we were fairly confident the Governor would do the right thing and protect Californians privacy by signing those bills. We were wrong.

Here's a brief description of each of the bills vetoed, and what they would have done:

The biggest disappointment of the bunch was the Governor's veto of SB 20 (Simitian). Let me first explain the legislation, then I'll include the Governor's veto message, answer it, and provide Senator Simitian's response as well.

California currently doesn't require public agencies or businesses to provide any standard set of information about private information breaches to consumers! SB 20 (Simitian) would change this, requiring any person or business that issues a security breach notification to more than 500 residents to also submit the notification electronically to the Attorney General. As consumers, we depend on businesses and government agencies to protect the security of our most intimate financial data.

Unfortunately, privacy breaches occur regularly. In fact, according to the Privacy Rights Clearinghouse, at least 263 million sensitive records have been exposed nationwide since 2005. SB 20 would amend California's security breach notification law to require notices to contain helpful information to potential victims of identity theft or privacy violations. This information includes a description of the breach that occurred and the estimated date of the breach, if that date is known.

SB 20 would also require the breach notice to contain contact information for the major credit reporting agencies if an individual's Social Security number, California driver's license number or California identification card number was exposed. SB 20 would make helpful changes to the current security breach notification statutes to enhance consumer knowledge about, and understanding of, security breaches.

How could anyone be against this? It's about as common sense of an approach as one could come up with in response to the growing problem and reality of data breaches. Its rather simple really, if you are the victim of a data breach, and your private information may have been stolen, you deserve some basic information that will help you most effectively respond.

Now, here's the Governor's veto message...completely lacking any evidence that support his assertions (because none exists):

I am returning Senate Bill 20 without my signature.

This bill would require any agency, person, or business that must issue an information security breach notification pursuant to existing law to also fulfill certain additional requirements pertaining to the security breach notification.

California’s landmark law on data breach notification has had many beneficial results. Informing individuals whose personal information was compromised in a breach of what their risks are and what they can do to protect themselves is an important consumer protection benefit. This bill is unnecessary, however, because there is no evidence that there is a problem with the information provided to consumers. Moreover, there is no additional consumer benefit gained by requiring the Attorney General to become a repository of breach notices when this measure does not require the Attorney General to do anything with the notices. Since this measure would place additional unnecessary mandates on businesses without a corresponding consumer benefit, I am unable to sign this bill.


Arnold Schwarzenegger

My confusion here stems from the Governor's assertion that "there is no evidence that there is a problem with the information provided to consumers". Say what? Ask consumers whether its more helpful to receive a letter that provides more than just a notice that your information has been breached, but also what you can do about it, when it happened (so you can check that date against your credit card statements, etc.), and other useful, SPECIFIC information.

The bottom line is that this law IS NEEDED. The past few years have demonstrated that there are some holes that still need to be plugged. According to a survey of data breach victims, 28% of those receiving a notification did not understand “the potential consequences of the breach after reading the letter.”

SB 20 would have made a good law even better by specifying key details that must be sent to consumers; something not all companies are including voluntarily.

And notifying the Attorney General’s office of data breaches would have enabled law enforcement officials to track breaches, observe trends, and better protect California consumers.

SB 20 would not have placed a substantial burden on businesses either. Under existing law, companies and state agencies must already notify every victim whose personal information is compromised – often many thousands of Californians. This bill would have added that a single copy of the notification letter be submitted electronically to the state Attorney General’s office.

The extra notification details this bill would have required are simple and straightforward: a general description of the breach, what personal information was compromised, and when the breach occurred (if possible to determine when the notice is sent).

In other words, the bill would have helped give consumers ACTIONABLE information that could give them more than just increased peace of mind, but ways to minimize the damage done.

Senator Simitian, who in 2003, was named by Scientific American magazine as one of the “Scientific American 50” technology leaders in recognition of the original data breach legislation this would improve upon, and the recipient in 2007 of the award for Excellence in Public Policy at the RSA Conference, a leading security industry event, responded to the veto:

I’m surprised as well as disappointed by the Governor’s veto. There was no opposition to the bill in its final form. This was a common sense step to help consumers. No one likes to get the news that personal information about them has been stolen, but when it happens, people are entitled to get the information they need to decide what to do next. This bill would have made one of California’s key consumer protections even better.. That way (i.e. the provision regarding the Attorney General), law enforcement would have been able to get the big picture on data theft."

VETOED: AB 943 (Mendoza) - Credit Reports

This bill would have prohibited a prospective employer from using consumer credit reports in the hiring process. An employer should not have any right to obtain confidential information that is not germane to a prospective employee's job. Credit reports do not have predictive value in determining a worker's ability to perform job duties, but a bad credit report might unfairly influence a hiring employer's attitude toward a job applicant. AB 943 would provide exceptions in cases when the job duties include access to cash or other financial assets, when the job is in law enforcement, and in other narrow areas.

Click here to read our letter to the Governor urging he sign this bill.

VETOED: AB 811 (John Perez) - Check Cashers

This bill would have prohibited check cashers from manufacturing and selling false identification cards, or identification cards that closely resemble a state drivers' license card, by making it subject to a fine between the amount of $250 and $1,000, or imprisonment in a county jail for not more than a year, or both. AB 811 also would seek to prohibit a check casher from requiring a customer to purchase a check cashing identification card to access services. Increasing the penalty for manufacturing and selling false identification cards will not only discourage check cashers from following this practice, it will also punish any person who would manufacture and sell false IDs to minors.

Click here to read our letter to the Governor urging he sign this bill.

VETOED:261 (Salas) - Student Privacy

This bill would have clarified that California students' privacy rights allow limited access to student records by law enforcement and election officials to further juvenile justice and voter registration, respectively. AB 261 is a conformity measure that would bring the California Education Code into compliance with the federal Family Educational Rights and Privacy Act (FERPA).

Conformity with federal law is needed to ensure that the state can retain its eligibility for the more than $1.13 billion it receives annually in federal grants for the provision of special education services to students with special needs. AB 261 would come at no cost to the state as it simply provides that California is in compliance with what is already required under federal law.

Click here to read our letter to the Governor urging he sign this bill.

All in all a bad year for California privacy advocates....

No comments: