Bill to bolster California breach law awaits governor

Share this article:
A new Senate bill in California, which seeks to complement the state's trailblazing SB-1386 data breach disclosure bill, is ready for Gov. Arnold Schwarzenegger's signature.

The new legislation, SB-20, builds on the 2003 bill by requiring that breach notification letters also contain specifics around the data-loss incident, including the type of personal information exposed, a description of the incident and advice on steps to take to protect oneself from identity theft. The law also would require that organizations that suffer a breach affecting 500 or more people must submit a copy of the alert letter to the state attorney general's office.

"Experience over the past half dozen years indicates that too often, the information received [in the letter] is confusing, not clarifying," state Democratic Sen. Joe Simitian, author of both bills, said this week in a news release. "SB-20 ensures that notice of a security breach will be genuinely helpful to consumers."

Simitian was not available for comment on Friday.

No organizations oppose the bill, Christine Haddon, spokeswoman for the California Chamber of Commerce, told SCMagazineUS.com on Friday.

On Aug. 26, the chamber withdrew its opposition to the bill on behalf of 13 other entities, including the California Bankers Association, Association of California Insurance Companies and State Farm Insurance. The groups were satisfied with the amended bill, which eliminated a single provision that required breached firms to provide victims with an estimated number of total people affected by the incident.

According to an earlier bill analysis, challengers also wanted to see other sections removed, including one that required the notification letters to contain the telephone numbers for major reporting agencies -- which may have implied they were victims of identity theft -- and another that required the disclosure of the date of the breach. State Farm had argued this would confirm to the hacker that he or she was successful.

The governor must sign or veto the bill by Oct. 11.

SB-1386 laid the groundwork for roughly 45 other states to pass similar laws requiring organizations that expose personal information to notify victims.
Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in News

Sign up to our newsletters

TOP COMMENTS

More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.