Bill to bolster California breach law awaits governor

Share this article:
A new Senate bill in California, which seeks to complement the state's trailblazing SB-1386 data breach disclosure bill, is ready for Gov. Arnold Schwarzenegger's signature.

The new legislation, SB-20, builds on the 2003 bill by requiring that breach notification letters also contain specifics around the data-loss incident, including the type of personal information exposed, a description of the incident and advice on steps to take to protect oneself from identity theft. The law also would require that organizations that suffer a breach affecting 500 or more people must submit a copy of the alert letter to the state attorney general's office.

"Experience over the past half dozen years indicates that too often, the information received [in the letter] is confusing, not clarifying," state Democratic Sen. Joe Simitian, author of both bills, said this week in a news release. "SB-20 ensures that notice of a security breach will be genuinely helpful to consumers."

Simitian was not available for comment on Friday.

No organizations oppose the bill, Christine Haddon, spokeswoman for the California Chamber of Commerce, told SCMagazineUS.com on Friday.

On Aug. 26, the chamber withdrew its opposition to the bill on behalf of 13 other entities, including the California Bankers Association, Association of California Insurance Companies and State Farm Insurance. The groups were satisfied with the amended bill, which eliminated a single provision that required breached firms to provide victims with an estimated number of total people affected by the incident.

According to an earlier bill analysis, challengers also wanted to see other sections removed, including one that required the notification letters to contain the telephone numbers for major reporting agencies -- which may have implied they were victims of identity theft -- and another that required the disclosure of the date of the breach. State Farm had argued this would confirm to the hacker that he or she was successful.

The governor must sign or veto the bill by Oct. 11.

SB-1386 laid the groundwork for roughly 45 other states to pass similar laws requiring organizations that expose personal information to notify victims.
Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in News

Sign up to our newsletters

More in News

Kevin Mitnick to sell zero-day exploits

Kevin Mitnick's new venture will develop and procure zero-day exploits, then sell them for $100,000 or more.

FBI warns of potential cyber attacks launched by ISIS hacktivists

Following U.S. military airstrikes in the Middle East, the FBI has issued a warning regarding possible cyber threats aimed at U.S. networks and critical infrastructure by hacktivists in support of ISIS.

Report: 75 million records compromised so far in 2014

Report: 75 million records compromised so far in ...

An updated report indicates that since this time last year, breaches have increased by 29.4 percent, with 568 breaches occurring this year.