Posted on February 14, 2011 by Scott L. Vernick

California's Simitian Moves to Bolster Data Breach Notices

California State Senator, Joe Simitian (D-Palo Alto), who authored the state's existing data breach law in 2002, has introduced Senate Bill 24 to strengthen the content of notices provided to individuals when their personal information has been hacked, stolen or lost. If passed, Senate Bill 24 proposes to offer individuals better protection against identity theft by standardizing the content for data breach notification, including (i) a general description of the incident, (ii) the type of information breached, (iii) the date and time of the breach and (iv) a toll-free telephone number of major credit reporting agencies for security breach notices in California. Senate Bill 24 would also require public agencies, businesses and others to send a copy of the breach notification to the California Attorney General if more than 500 Californians are affected by a single breach. Former Governor Arnold Swarzenegger vetoed similar legislation introduced by Senator Simitian.

Tags: , , , , , , , ,
  • Print
  • Comments
  • Trackbacks
  • Share Link
Posted on April 19, 2010 by Mark McCreary

California Data Breach Notification Revision Gets New Life

You may recall that Governor Schwarzenegger "terminated" the proposed update to California´s landmark privacy protection law (AB 700), known as SB 20, which California’s State Legislature previously approved and we reported about here. SB 20 was proposed by State Senator Joe Simitian (D-Palo Alto), the original author of California's breach notification law after which many states model their breach notification laws.

Well, the Governator's office encouraged Rep. Simitian to reintroduce the amendment, which is now Senate Bill 1166.  This Bill was approved by the California Senate last Thursday and now moves to the California State Assembly for approval and, if approved, signature by the Governor.

The existing legislation requires that any company or business that loses unencrypted personal information send a security breach notification letter to those affected. States adopting breach notification laws similar to California's now number 46, plus the District of Columbia, Puerto Rico and the US Virgin Islands. 

At its heart, SB 1166 accomplishes two major goals. First, SB 1166 would require that the notification letters sent to victims “contain specific information designed to help victims safeguard their privacy. This includes the type of personal information exposed, a description of the incident, and when it took place.”  At least 13 states already have laws indicating the contents of breach notification letters to affected individuals.  These provisions are often encouraged because consumers receiving notices are often confused about what data is affected, and because as the number generic notices received by consumers increased there is fear that apathy will set in and a consumer will miss notice of a particularly troubling breach.

Second, SB 1166 would also require that parties that have a (single event) data breach that affects more than 500 California residents provide a copy of the notification letter to the state Attorney General’s office. This second provision is where the there is now a potential for a clearinghouse. In most conceivable cases of a data breach of any significant size, it is likely that 500 California residents will be affected. Under applicable sunshine laws, this information would be more widely available to watchdog groups, not to mention concerned citizens. It is also conceivable that the Attorney General’s office would post information regarding these reported data breaches on its web site in an easily accessible manner.

We will have to wait and see if Skynet orders the Governor signs this law when and if it reaches his desk.

Tags: , , , , , ,
  • Print
  • Comments
  • Trackbacks
  • Share Link
Posted on October 13, 2009 by Mark McCreary

CALIFORNIA'S PROPOSED STRENGTHENED DATA PRIVACY LAW TERMINATED

It appears that John Connor is not the only thing from the future in Governor Schwarzenegger’s crosshairs. The Governator vetoed the update to California´s landmark privacy protection law (AB 700), known as SB 20, which California’s State Legislature previously approved and we reported about here. SB 20 was proposed by State Senator Joe Simitian (D-Palo Alto).

Simitan, the author of California’s existing privacy legislation (AB 700), created a bill that had no apparent opposition. In fact, Simitan has a record of creating trend-setting legislation in the privacy field, with more than 40 states adopting legislation similar to the legislation that he authored for California (AB 700). Scientific American named Simitan as member of the “Scientific American 50” in 2003 in the “Privacy & Security” category for his work on California’s existing legislation (AB 700).

The California Chronicle quoted Simitan as saying “I’m surprised as well as disappointed by the Governor’s veto. There was no opposition to the bill in its final form. This was a common sense step to help consumers.”

As a refresher, SB 20 would accomplish two major goals. First, SB 20 would have required that the notification letters sent to victims “contain specific information designed to help victims safeguard their privacy. This includes the type of personal information exposed, a description of the incident, and when it took place.”

Second, SB 20 would also have required that parties that have a (single event) data breach that affects more than 500 California residents provide a copy of the notification letter to the state Attorney General’s office.

While the basis for the Governor's veto of SB 20 was not immediately apparent, it is likely that Simitan will reintroduce this legislation with some adjustments.

Tags: , , , , , , , , , , , ,
  • Print
  • Comments
  • Trackbacks
  • Share Link
Posted on September 11, 2009 by Mark McCreary

Proposed California Data Breach Law Could Create a Clearinghouse

We have written before about how the lack of a national clearinghouse for large data breaches is a significant shortcoming of existing federal law. We have also speculated that if a large state were to create a de facto clearinghouse, the shortcoming may be partially alleviated.

President Obama’s administration may be disappointing many privacy experts to date, but California’s Governator now has an opportunity to make some major strides.

California’s State Legislature approved SB 20, a bill proposed by State Senator Joe Simitian´s (D-Palo Alto), which the Senator states would “strengthen and update California´s landmark privacy protection law.”

Governor Schwarzenegger will have until October 11th to sign or veto the proposed bill.

The existing legislation, originally authored by Simitan, requires that any company or business that loses unencrypted personal information send a security breach notification letter to those affected. Simitan’s office proudly and accurately states that California’s law has been widely praised, and more than 40 states have adopted similar legislation.

At its heart, SB 20 accomplishes two major goals. First, SB 20 would require that the notification letters sent to victims “contain specific information designed to help victims safeguard their privacy. This includes the type of personal information exposed, a description of the incident, and when it took place.”

Second, SB 20 would also require that parties that have a (single event) data breach that affects more than 500 California residents provide a copy of the notification letter to the state Attorney General’s office. This second provision is where the there is now a potential for a clearinghouse. In most conceivable cases of a data breach of any significant size, it is likely that 500 California residents will be affected. Under applicable sunshine laws, this information would be more widely available to watchdog groups, not to mention concerned citizens. It is also conceivable that the Attorney General’s office would post information regarding these reported data breaches on its web site in an easily accessible manner.

While the proposed revision to California’s data breach law is not a cure for the lack of a national database, it does create hope that a national requirement may be on the horizon. In any event, as more states consider and require such reporting requirements, at the very least there may come into existence a patchwork of clearinghouses. Even such a patchwork has the potential to be better than the current systems.
 

Tags: , , , , ,
  • Print
  • Comments (1)
  • Trackbacks
  • Share Link