The new legislation, SB-20, builds on the 2003 bill by requiring that breach notification letters also contain specifics around the data-loss incident, including the type of personal information exposed, a description of the incident and advice on steps to take to protect oneself from identity theft. The law also would require that organizations that suffer a breach affecting 500 or more people must submit a copy of the alert letter to the state attorney general's office.
"Experience over the past half dozen years indicates that too often, the information received [in the letter] is confusing, not clarifying," state Democratic Sen. Joe Simitian, author of both bills, said this week in a news release. "SB-20 ensures that notice of a security breach will be genuinely helpful to consumers."
Simitian was not available for comment on Friday.
No organizations oppose the bill, Christine Haddon, spokeswoman for the California Chamber of Commerce, told SCMagazineUS.com on Friday.
On Aug. 26, the chamber withdrew its opposition to the bill on behalf of 13 other entities, including the California Bankers Association, Association of California Insurance Companies and State Farm Insurance. The groups were satisfied with the amended bill, which eliminated a single provision that required breached firms to provide victims with an estimated number of total people affected by the incident.
According to an earlier bill analysis, challengers also wanted to see other sections removed, including one that required the notification letters to contain the telephone numbers for major reporting agencies -- which may have implied they were victims of identity theft -- and another that required the disclosure of the date of the breach. State Farm had argued this would confirm to the hacker that he or she was successful.
The governor must sign or veto the bill by Oct. 11.
SB-1386 laid the groundwork for roughly 45 other states to pass similar laws requiring organizations that expose personal information to notify victims.