They say that imitation is the highest form of flattery. Well, some 45 states have more or less copied California's pioneering move. And there was no reason to believe that a similar scenario wouldn't have played out again had the Governator signed SB-20 into law.
But, alas, it was not to be. The new legislation would have required that breach notification letters going to California residents also contain specifics around the data-loss incident, including the type of personal information exposed, a description of the incident, and advice on steps to take to protect oneself from identity theft. The law also would have mandated that organizations that suffer a breach affecting 500 or more people must submit a copy of the alert letter to the state attorney general's office
"“It was one of the most surprising vetoes I've gotten in nine years in the legislature,” Simitian told ApparelNews.net. “There were no amendments from the business community. There was no cost to the state.”
But Schwarzenegger, known for his large army of business allies, argued that the additional information that corporations would have been required to provide would have proved an additional burden to them, while not really helping consumers.
Simitian isn't the only one reacting with displeasure. From the Consumer Federation of California:
Governor Schwarzenegger's final verdict on a host of critical consumer protection bills this past weekend left consumer advocates disappointed. Of the 14 bills identified by the Consumer Federation of California (CFC) as most important, in only six instances did thegovernor take the side of the consumer.
While acknowledging that the governor signed several consumer protection laws, Richard Holober, executive director of the Consumer Federation of California stated: “We are disappointed that the governor sided with big business interests and against consumers on the majority of bills that reached his desk. The governor turned a deaf ear to California consumers on key food safety, automobile insurance and financial privacy proposals."
I also must respectfully disagree with the governor. How does he know the additional details won't help consumers. With data breaches becoming such a regularity, I would think consumers are now demanding more details, if for no other reason so they can discern between incidents.
And I'm not so sure that I can empathize with businesses. While the law may require organizations to do some additional work, I would argue that it is work that should be done anyway. After all, businesses must learn from their mistakes. Isn't the best way to do that by understanding the entire scope of an incident.
Simitian, is pledging that, pardon the metaphor, he'll be back with this bill in next year's session.
And at least not all of Schwarzenegger's legislative decisions are bad ones.