Bill to bolster California breach law awaits governor

Share this article:
A new Senate bill in California, which seeks to complement the state's trailblazing SB-1386 data breach disclosure bill, is ready for Gov. Arnold Schwarzenegger's signature.

The new legislation, SB-20, builds on the 2003 bill by requiring that breach notification letters also contain specifics around the data-loss incident, including the type of personal information exposed, a description of the incident and advice on steps to take to protect oneself from identity theft. The law also would require that organizations that suffer a breach affecting 500 or more people must submit a copy of the alert letter to the state attorney general's office.

"Experience over the past half dozen years indicates that too often, the information received [in the letter] is confusing, not clarifying," state Democratic Sen. Joe Simitian, author of both bills, said this week in a news release. "SB-20 ensures that notice of a security breach will be genuinely helpful to consumers."

Simitian was not available for comment on Friday.

No organizations oppose the bill, Christine Haddon, spokeswoman for the California Chamber of Commerce, told SCMagazineUS.com on Friday.

On Aug. 26, the chamber withdrew its opposition to the bill on behalf of 13 other entities, including the California Bankers Association, Association of California Insurance Companies and State Farm Insurance. The groups were satisfied with the amended bill, which eliminated a single provision that required breached firms to provide victims with an estimated number of total people affected by the incident.

According to an earlier bill analysis, challengers also wanted to see other sections removed, including one that required the notification letters to contain the telephone numbers for major reporting agencies -- which may have implied they were victims of identity theft -- and another that required the disclosure of the date of the breach. State Farm had argued this would confirm to the hacker that he or she was successful.

The governor must sign or veto the bill by Oct. 11.

SB-1386 laid the groundwork for roughly 45 other states to pass similar laws requiring organizations that expose personal information to notify victims.
Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in News

Sign up to our newsletters

TOP COMMENTS

More in News

FBI to open Malware Investigator portal to security researchers

The portal is a virus analysis tool that examines suspicious files and shares information about them.

SUPERVALU and AB Acquisition LLC report being breached again

SUPERVALU and AB Acquisition LLC report being breached ...

The breaches involved different malware and both companies are investigating whether payment card information was stolen.

DDoS down globally, on increase in Americas in Q2, report says

DDoS down globally, on increase in Americas in ...

DDoS attacks declined in Q2 while Zeus, Storm and Heartbleed made their marks on security, an Akamai report on the state of the internet shows.