You may recall that Governor Schwarzenegger "terminated" the proposed update to California´s landmark privacy protection law (AB 700), known as SB 20, which California’s State Legislature previously approved and we reported about here. SB 20 was proposed by State Senator Joe Simitian (D-Palo Alto), the original author of California’s breach notification law after which many states model their breach notification laws.
Well, the Governator’s office encouraged Rep. Simitian to reintroduce the amendment, which is now Senate Bill 1166. This Bill was approved by the California Senate last Thursday and now moves to the California State Assembly for approval and, if approved, signature by the Governor.
The existing legislation requires that any company or business that loses unencrypted personal information send a security breach notification letter to those affected. States adopting breach notification laws similar to California’s now number 46, plus the District of Columbia, Puerto Rico and the US Virgin Islands.
At its heart, SB 1166 accomplishes two major goals. First, SB 1166 would require that the notification letters sent to victims “contain specific information designed to help victims safeguard their privacy. This includes the type of personal information exposed, a description of the incident, and when it took place.” At least 13 states already have laws indicating the contents of breach notification letters to affected individuals. These provisions are often encouraged because consumers receiving notices are often confused about what data is affected, and because as the number generic notices received by consumers increased there is fear that apathy will set in and a consumer will miss notice of a particularly troubling breach.
Second, SB 1166 would also require that parties that have a (single event) data breach that affects more than 500 California residents provide a copy of the notification letter to the state Attorney General’s office. This second provision is where the there is now a potential for a clearinghouse. In most conceivable cases of a data breach of any significant size, it is likely that 500 California residents will be affected. Under applicable sunshine laws, this information would be more widely available to watchdog groups, not to mention concerned citizens. It is also conceivable that the Attorney General’s office would post information regarding these reported data breaches on its web site in an easily accessible manner.
We will have to wait and see if
Skynet orders the Governor signs this law when and if it reaches his desk.