Californa Privacy Bills Signed, Vetoed By Governor

As per usual, I want to briefly go through the fates of the handful of important California privacy bills that made it all the way to Governor Schwarzenegger's desk.

Privacy Bills Signed by Governor

SB 1268 (Simitian) - Protects Privacy of Electronic Toll Users: Representing a major privacy victory was the Governor’s signing of SB 1268. The bill puts in place a number of protections for personally identifiable information of electronic toll collection subscribers, including, but not limited to: travel pattern data, address, telephone number, bank account information, and credit card information.

The bill would restrict transportation agencies from handing over subscriber information unless a law enforcement agency provides a search warrant, or, in cases in which the delay required in seeking a search warrant would result in an imminent danger to the health or safety of a member of the public, a written statement by the law enforcement agency explaining the nature of the situation. In addition, it would provide that in each instance where a subscriber’s personally identifiable information is handed over to a law enforcement agency, the subscriber him or herself must be notified within a reasonable timeframe.

SB 909 (Wright) - Investigative Consumer Reporting Agencies: This bill will require a person who instigates an investigative consumer report for employment purposes to provide a consumer with a Disclosure and Request for Consent for the information to be sent outside of the United States.

SB 1087 (Alquist) - Identity Theft: This bill gives additional rights to victims of identity theft - an increasingly common crime in California - by authorizing restitution for three years of credit report monitoring and for the costs to repair a credit rating. The legislation also expands the definition of what is considered to be identity theft and increases fines and potential incarceration time for those found guilty.

The bill also allows a person who believes that he or she is the victim of identity theft the right to initiate an investigation of the matter by contacting the law enforcement agency with jurisdiction over the person's residence or place of business. The victim may then obtain information from various financial entities concerning the suspected identity theft incident and may further investigate the matter. The victim may also petition a court for an expedited determination of his or her factual innocence concerning misuse of his or her identifying information.

Privacy Bills Vetoed By Governor

SB 1166 (Simitian) - Protecting Personal Information: The Governor’s veto of SB 1166 marks the biggest “privacy disappointment” of the session. Its a particularly stinging loss because, while the Governor vetoed a nearly identical bill last year, he said to bring it back again with just a minor modification - which was made. Apparently, the Governor changed his mind, and consumers will continue to pay the price, here's why:

A recent study by the Privacy Rights Clearinghouse indicated upwards of 500 million data breaches since 2005, including personal medical records, credit card numbers and Social Security numbers. According to a 2009 Javelin Research&Strategy, individuals are four times more likely to be the victim of identity theft in the year after receiving a data breach notification letter.

It goes without saying then, that these findings epitomized the need for the Governor to sign SB 1166 (Simitian). California’s current security breach notification law does not require public agencies, businesses, or persons subject to that law to provide any standard set of information about the breach to consumers. As a result, security breach notification letters often lack important information - such as the time of the breach or type of information that was breached - or are confusing to consumers.

SB 1166 would have rectified this problem by amending California's security breach notification law stating that any public agency, person or business required to issue a security breach notification to more than 500 residents must submit the notification electronically to the Attorney General. This measure also would have required that the notification be written in plain language and include contact information regarding the breach, the types of information breached, and the date, estimated date, or date range of the breach.

Yet the Governor's veto message claims "This bill is unnecessary, however, because there is no evidence that there is a problem with the information provided to consumers. Moreover, there is no additional consumer benefit gained by requiring the Attorney General to become a repository of breach notices when this measure does not require the Attorney General to do anything with the notices.”

Just ask consumers whether its more helpful to receive a letter that provides more than just a notice that your information has been breached, but also what you can do about it, when it happened (so you can check that date against your credit card statements, etc.), and other useful, SPECIFIC information.

The bottom line is that this law IS NEEDED. The past few years have demonstrated that there are some holes that still need to be plugged. According to a survey of data breach victims, 28% of those receiving a notification did not understand “the potential consequences of the breach after reading the letter.”

SB 482 (Mendoza) – Protecting Financial Privacy: This is another big disappointment, particularly considering how many people's credit scores have suffered due to the Great Recession. This bill would have prohibited a prospective employer from using consumer credit reports in the hiring process.

An employer should not have any right to obtain confidential information that is not germane to a prospective employee's job. Credit reports do not have predictive value in determining a worker's ability to perform job duties, but a bad credit report might unfairly influence a hiring employer's attitude toward a job applicant. AB 943 would provide exceptions in cases when the job duties include access to cash or other financial assets, when the job is in law enforcement, and in other narrow areas.

So that's a quick rundown of the privacy bills that we (Consumer Federation of California) had been tracking all year that actually made it to his desk. While the signing of the electronic toll bill was a victory, its difficult to understand the Governor's reasoning for vetoing the credit report and the security breach bills...but then, we are talking about Governor Schwarzenegger...so logic, and rational, consistent public policy positions don't really apply.