California Bill to Protect Against Privacy Breaches, Improve Notification is Back

One of last year's real “privacy disappointments” in California was Governor Schwarzenegger's veto of SB 1166 (Simitian) - a data breach notification law. It represented a particularly stinging rebuke because - while the Governor vetoed a nearly identical bill the year before - he had intimated that if it was brought back with just a minor modification - which was made, he'd sign it next time. Apparently, the Governor changed his mind, and consumers will continue to pay the price. 

Now to the good news: Senator Joe Simitian is bringing the legislation back, and of course, California has a new Governor with a far better track record on consumer rights.

First, here's why the bill is important:

A recent study by the Privacy Rights Clearinghouse indicated upwards of 500 million data breaches took place since 2005 (certainly more once we take into account last years numbers), including personal medical records, credit card numbers and Social Security numbers. According to a 2009 Javelin Research&Strategy, individuals are four times more likely to be the victim of identity theft in the year after receiving a data breach notification letter.

It goes without saying then, that these findings epitomizes the need for proper notification policies and more stringent enforcement. California’s current security breach notification law does not require public agencies, businesses, or persons subject to that law to provide any standard set of information about the breach to consumers. As a result, security breach notification letters often lack important information - such as the time of the breach or type of information that was breached - or are confusing to consumers.

Last year's SB 1166 is now SB 24. The bill would help rectify these shortcomings by amending California's security breach notification law so it states that any public agency, person or business required to issue a security breach notification to more than 500 residents must also submit the notification electronically to the Attorney General. The bill would also require that the notification be written in plain language and include contact information regarding the breach, the types of information breached, and the date, estimated date, or date range of the breach.


Just ask consumers whether its more helpful to receive a letter that provides more than just a notice that your information has been breached, but also what you can do about it, when it happened (so you can check that date against your credit card statements, etc.), and other useful, SPECIFIC information.

The bottom line is that this law IS NEEDED. The past few years have demonstrated that there are some holes that still need to be plugged. According to a survey of data breach victims, 28% of those receiving a notification did not understand “the potential consequences of the breach after reading the letter.”

The changes proposed to the current law by Senator Simitian’s legislation will enhance identity theft protection for Californians. As the Senator himself noted, “The unwelcome news that personal information has been stolen should be accompanied by information that enables individuals to decide what steps to take next. Current notifications of data breaches vary widely in the information they provide and in their helpfulness to individuals who are affected. This new measure makes modest but helpful changes for consumers. By requiring notice to the Attorney General, it will enable law enforcement to identify patterns of data theft and to understand the scope of the threat.”

So to repeat, specifically, the bill would establish the following standards for notifications:

• A general description of the incident.

• The type of information breached.

• The date and time of the breach. 

• A toll-free telephone number of major credit reporting agencies for security breach notices in California.

In the years since Simitian’s original privacy legislation, Assembly Bill 700, was signed into law, 46 other states, as well as the District of Columbia, Puerto Rico and the U.S. Virgin Islands, have enacted laws that are modeled on the California statute. At least 14 other states and Puerto Rico now require security breach notification letters to include specified types of information similar to the requirements of SB 24. Most of these states also require notification of a state regulator, such as the Attorney General, as well as individuals.

In other words, this is a truly common sense, no-brainer piece of legislation that a large coalition of consumer and privacy rights organizations will be working hard to enact this year.