Schwarzenegger negs update to California breach law

Share this article:

California Gov. Arnold Schwarzenegger has vetoed a bill that would have updated the state's existing data breach disclosure law.

The move Sunday by Schwarzenegger surprised the author of SB-20, state Democratic Sen. Joe Simitian, who said in a statement that the final version of the bill eliminated any sources of dissent from the insurance and financial services industries.

The new legislation would have built on the landmark 2003 bill, SB-1386, by requiring that breach notification letters also contain specifics around the data-loss incident, including the type of personal information exposed, a description of the incident, and advice on steps to take to protect oneself from identity theft. The law also would have required that organizations that suffer a breach affecting 500 or more people must submit a copy of the alert letter to the state attorney general's office

But the governor, in a veto notice, said he decided to refuse the bill because there is no proof the additional information required by the legislation would actually help consumers. In addition, Schwarzenegger said he saw no reason why the attorney general's office needed to become a "repository" of data breach notifications.

The bill, though, had no opposition. On Aug. 26, the California Chamber of Commerce withdrew its dissent to the bill on behalf of 13 other entities, including the California Bankers Association, Association of California Insurance Companies and State Farm Insurance. The groups were satisfied with the amended bill, which eliminated a single provision that would have required breached firms to provide victims with an estimated number of total people affected by the incident.

“I'm surprised as well as disappointed by the governor's veto,“ Simitian said. “There was no opposition to the bill in its final form.  This was a common sense step to help consumers. No one likes to get the news that personal information about them has been stolen. But when it happens, people are entitled to get the information they need to decide what to do next."

This is not the first time Schwarzenegger has shot down data security legislation. In October 2007, he vetoed the Consumer Data Protection Act, known as AB 779. That law would have set forth data security and breach notification requirements for merchants.

Share this article:

Sign up to our newsletters

More in News

Research shows vulnerabilities go unfixed longer in ASP

Research shows vulnerabilities go unfixed longer in ASP

A new report finds little difference in the number of vulnerabilities among programming languages, but remediation times vary widely.

Bill would restrict Calif. retailers from storing certain payment data

The bill would ban businesses from storing sensitive payment data, for any long than required, even if it is encrypted.

Amplification, reflection DDoS attacks increase 35 percent in Q1 2014

Amplification, reflection DDoS attacks increase 35 percent in ...

The Q1 2014 Global DDoS Attack Report reveals that amplification and reflection distributed denial-of-service attacks are on the rise.