Calif. Senate strengthens breach notification law

Share this article:

The State Senate in California has passed by wide margins measures that require more extensive notification to consumers of data breaches, establish a central reporting center for breaches, and permit local prosecution of identity theft.

The bills, SB364 (privacy) and SB612 (ID theft prosecution), passed by 30-7 and 40-0 votes, respectively. Both measures were authored by State Sen. Joe Simitian, who sponsored SB1386, California's original breach notification law in 2002.

 

SB364 would require that consumers receive a clear, informative notification letter when their personal data kept by a business or public agency has been stolen. It also requires the state to establish a central reporting site to catalog security breaches.

 

"No one likes to get the news that information about them has been stolen," Simitian said in a prepared statement. "But when it happens, people are entitled to get a notice they can understand, and that helps them decide what to do next."

 

According to SB364, a security breach notification must contain the toll-free telephone numbers of the major credit reporting agencies – to allow consumers to put a hold on their credit – and the name and contact information of the business that has experienced a breach. The notice also must include the type of information, such as names and Social Security numbers, that might have been taken; the date of the breach and of its discovery; a general description of the breach; and the estimated number of persons affected.


California's existing law requires that businesses or government agencies which have lost personal data notify the individuals whose information has been compromised. More than 40 states have adopted similar legislation, based primarily on the California measure. 

 

SB364's mandates are based on recommendations from a study by the Samuelson Law, Technology & Public Policy Clinic at the University of California at Berkeley School of Law. That study called for standardized notices and the formation of a central clearing house for security breach information.

 

The second law, SB612, would allow identity theft to be prosecuted in the county in which the victim lives, which is not always the case now, according to Simitan's office. The current California law permits prosecution in the county in which the theft occurred or the county in which the information was illegally used, both of which may be hundreds of miles away from the victim's home.

 

"Too often, identity thieves can act with impunity simply because their victims live in a remote community," Simitian said.

 

Although the current law permits prosecution on behalf of victims anywhere, "expecting a local district attorney to prosecute a case when the victim or victims are all at the other end of the state is simply unrealistic," he said.

 

"If someone steals your wallet or your car, the existing system makes sense," Simitian added. "But computer crime ignores geography. Suppose a thief sitting at a computer in San Diego uses a ruse to obtain the personal identification information of a San Jose man, then swipes money from his online brokerage. The law says the crime occurred in San Diego and, unless a San Diego prosecutor takes up the case, the San Jose victim is out of luck."

 

Both laws must now be acted on by California's state assembly.

Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in News

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.