Landmark California Privacy Bill Passes Legislature

First, the good news (the bad news only being that the Governor may veto this bill). The California Legislature has voted to strengthen the notification required when databases of personal information are compromised. Now it falls on the Governor to do the right thing - which is always a tenuous hope at best.

California’s current security breach notification law does not require public agencies, businesses, or persons subject to that law to provide any standard set of information about the breach to consumers. As a result, security breach notification letters often lack important information - such as the time of the breach or type of information that was breached - or are confusing to consumers.

This leaves consumers uncertain about how to respond to the breach or protect themselves from identity theft. SB 1166 makes relatively modest but helpful changes to the current security breach notification statutes to enhance consumer knowledge about, and understanding of, security breaches.

Unfortunately, privacy breaches occur regularly. In fact, according to the Privacy Rights Clearinghouse, that at least 347 million sensitive records have been compromised nationwide since 2005.

SB 1166 (Simitian) would amend California's security breach notification law stating that any public agency, person or business required to issue a security breach notification to more than 500 residents must submit the notification electronically to the Attorney General. This measure also requires that the notification be written in plain language and include contact information regarding the breach, the types of information breached, and the date, estimated date, or date range of the breach.

Additionally, SB 1166 would also require that an entity providing substitute notice also provide notice to the Office of Information Security and Privacy Protection.

Now, its difficult to understand how anyone could be against this. It's about as common sense of an approach as one could come up with in response to the growing problem and reality of data breaches. Its rather simple really, if you are the victim of a data breach, and your private information may have been stolen, you deserve some basic information that will help you most effectively respond.

But here's why I am concerned. The Governor vetoed an almost identical bill last year stating (and notice the complete lack of any evidence to support his assertions...because none exist):

I am returning Senate Bill 20 without my signature.

This bill would require any agency, person, or business that must issue an information security breach notification pursuant to existing law to also fulfill certain additional requirements pertaining to the security breach notification.

California’s landmark law on data breach notification has had many beneficial results. Informing individuals whose personal information was compromised in a breach of what their risks are and what they can do to protect themselves is an important consumer protection benefit. This bill is unnecessary, however, because there is no evidence that there is a problem with the information provided to consumers. Moreover, there is no additional consumer benefit gained by requiring the Attorney General to become a repository of breach notices when this measure does not require the Attorney General to do anything with the notices. Since this measure would place additional unnecessary mandates on businesses without a corresponding consumer benefit, I am unable to sign this bill.

Sincerely,

Arnold Schwarzenegger

My confusion here stems from the Governor's assertion that "there is no evidence that there is a problem with the information provided to consumers". Say what? Ask consumers whether its more helpful to receive a letter that provides more than just a notice that your information has been breached, but also what you can do about it, when it happened (so you can check that date against your credit card statements, etc.), and other useful, SPECIFIC information.

The bottom line is that this law IS NEEDED. The past few years have demonstrated that there are some holes that still need to be plugged. According to a survey of data breach victims, 28% of those receiving a notification did not understand “the potential consequences of the breach after reading the letter.”

But, there is reason for more hope than usual, as Senator Simitian said he reintroduced his vetoed measure this year after conversations with the Governor’s office persuaded him that “a signature by the Governor seems possible this year.”

Specifying what information must be included in the notification, so that individuals might take steps to protect themselves against identity theft really is “the next logical step” to take since the Senator's initial data notification legislation, as Simitian as argued.

Current notifications of data breaches vary widely in the information they provide and in their helpfulness to individuals who are affected. Plus, as Simitian also argued, "the bill will also give law enforcement the ability to see the big picture and a better understanding of the patterns and practices developing in connection with identity theft".

Now we wait...