California Gov. Arnold Schwarzenegger has vetoed a bill that would have updated the state's existing data breach disclosure law.
The move Sunday by Schwarzenegger surprised the author of SB-20, state Democratic Sen. Joe Simitian, who said in a statement that the final version of the bill eliminated any sources of dissent from the insurance and financial services industries.
The new legislation would have built on the landmark 2003 bill, SB-1386, by requiring that breach notification letters also contain specifics around the data-loss incident, including the type of personal information exposed, a description of the incident, and advice on steps to take to protect oneself from identity theft. The law also would have required that organizations that suffer a breach affecting 500 or more people must submit a copy of the alert letter to the state attorney general's office
But the governor, in a veto notice, said he decided to refuse the bill because there is no proof the additional information required by the legislation would actually help consumers. In addition, Schwarzenegger said he saw no reason why the attorney general's office needed to become a "repository" of data breach notifications.
The bill, though, had no opposition. On Aug. 26, the California Chamber of Commerce withdrew its dissent to the bill on behalf of 13 other entities, including the California Bankers Association, Association of California Insurance Companies and State Farm Insurance. The groups were satisfied with the amended bill, which eliminated a single provision that would have required breached firms to provide victims with an estimated number of total people affected by the incident.
“I'm surprised as well as disappointed by the governor's veto,“ Simitian said. “There was no opposition to the bill in its final form. This was a common sense step to help consumers. No one likes to get the news that personal information about them has been stolen. But when it happens, people are entitled to get the information they need to decide what to do next."
This is not the first time Schwarzenegger has shot down data security legislation. In October 2007, he vetoed the Consumer Data Protection Act, known as AB 779. That law would have set forth data security and breach notification requirements for merchants.