One of last year's real “privacy disappointments” in California was Governor Schwarzenegger's veto of SB 1166 (Simitian) - a data breach notification law. It represented a particularly stinging rebuke because - while the Governor vetoed a nearly identical bill the year before - he had intimated that if it was brought back with just a minor modification - which was made, he'd sign it next time. Apparently, the Governor changed his mind, and consumers will continue to pay the price.
Now to the good news: Senator Joe Simitian is bringing the legislation back, and of course, California has a new Governor with a far better track record on consumer rights.
A recent study by the Privacy Rights Clearinghouse indicated upwards of 500 million data breaches took place since 2005 (certainly more once we take into account last years numbers), including personal medical records, credit card numbers and Social Security numbers. According to a 2009 Javelin Research&Strategy, individuals are four times more likely to be the victim of identity theft in the year after receiving a data breach notification letter.
It goes without saying then, that these findings epitomizes the need for proper notification policies and more stringent enforcement. California’s current security breach notification law does not require public agencies, businesses, or persons subject to that law to provide any standard set of information about the breach to consumers. As a result, security breach notification letters often lack important information - such as the time of the breach or type of information that was breached - or are confusing to consumers.
Last year's SB 1166 is now SB 24. The bill would help rectify these shortcomings by amending California's security breach notification law so it states that any public agency, person or business required to issue a security breach notification to more than 500 residents must also submit the notification electronically to the Attorney General. The bill would also require that the notification be written in plain language and include contact information regarding the breach, the types of information breached, and the date, estimated date, or date range of the breach.
Just ask consumers whether its more helpful to receive a letter that provides more than just a notice that your information has been breached, but also what you can do about it, when it happened (so you can check that date against your credit card statements, etc.), and other useful, SPECIFIC information.
The bottom line is that this law IS NEEDED. The past few years have demonstrated that there are some holes that still need to be plugged. According to a survey of data breach victims, 28% of those receiving a notification did not understand “the potential consequences of the breach after reading the letter.”