The State Senate in California has passed by wide margins measures that require more extensive notification to consumers of data breaches, establish a central reporting center for breaches, and permit local prosecution of identity theft.
The bills, SB364 (privacy) and SB612 (ID theft prosecution), passed by 30-7 and 40-0 votes, respectively. Both measures were authored by State Sen. Joe Simitian, who sponsored SB1386, California's original breach notification law in 2002.
SB364 would require that consumers receive a clear, informative notification letter when their personal data kept by a business or public agency has been stolen. It also requires the state to establish a central reporting site to catalog security breaches.
"No one likes to get the news that information about them has been stolen," Simitian said in a prepared statement. "But when it happens, people are entitled to get a notice they can understand, and that helps them decide what to do next."
According to SB364, a security breach notification must contain the toll-free telephone numbers of the major credit reporting agencies – to allow consumers to put a hold on their credit – and the name and contact information of the business that has experienced a breach. The notice also must include the type of information, such as names and Social Security numbers, that might have been taken; the date of the breach and of its discovery; a general description of the breach; and the estimated number of persons affected.
California's existing law requires that businesses or government agencies which have lost personal data notify the individuals whose information has been compromised. More than 40 states have adopted similar legislation, based primarily on the California measure.
SB364's mandates are based on recommendations from a study by the Samuelson Law, Technology & Public Policy Clinic at the University of California at Berkeley School of Law. That study called for standardized notices and the formation of a central clearing house for security breach information.
The second law, SB612, would allow identity theft to be prosecuted in the county in which the victim lives, which is not always the case now, according to Simitan's office. The current California law permits prosecution in the county in which the theft occurred or the county in which the information was illegally used, both of which may be hundreds of miles away from the victim's home.
"Too often, identity thieves can act with impunity simply because their victims live in a remote community," Simitian said.
Although the current law permits prosecution on behalf of victims anywhere, "expecting a local district attorney to prosecute a case when the victim or victims are all at the other end of the state is simply unrealistic," he said.
"If someone steals your wallet or your car, the existing system makes sense," Simitian added. "But computer crime ignores geography. Suppose a thief sitting at a computer in San Diego uses a ruse to obtain the personal identification information of a San Jose man, then swipes money from his online brokerage. The law says the crime occurred in San Diego and, unless a San Diego prosecutor takes up the case, the San Jose victim is out of luck."
Both laws must now be acted on by California's state assembly.