SACRAMENTO, CA – A bill in California aimed at strengthening the state’s existing data breach notification requirements will become law on January 1, 2012.
Senate Bill 24, championed by Sen. Joe Simitian (D-Palo Alto), was approved last week by Gov. Jerry Brown.
[See also: Privacy breach worries still dog electronic health records]As a result of legislation Simitian passed in 2002 (AB 700), California law requires data holders, such as businesses or state agencies, to notify individuals when there has been a breach of personal information. However, the law does not indicate what information should be contained in this notification.
“Senate Bill 24 is the logical next step to ensure consumers have the specific information they need to protect themselves after a data breach,” said Simitian.
Specifically, SB 24 establishes standard, core content for data breach notifications including a general description of the incident, the type of information breached, the time of the breach and toll-free telephone numbers and addresses of the major credit reporting agencies in California.
[See also: Data breaches top of mind for IT decision makers]“No one likes to get the news that personal information about them has been stolen,” said Simitian. “But when it happens, people deserve to get the information they need to decide what to do next.”
SB 24 also requires data holders to send an electronic copy of the notification to the Attorney General, if a single breach affects more than 500 Californians. This requirement will “give law enforcement the ability to see the big picture and better understand the patterns and practices of identity theft statewide,” Simitian explained.
A survey by the Samuelson Law, Technology & Public Policy Clinic at UC Berkeley found that 28 percent of data breach victims receiving a security breach notification letter “do not understand the potential consequences of the breach after reading the letter.”
The California Office of Privacy Protection referred to the bill signing as, “a great day for California” and indicated that the senator’s bill, “helps protect and empower Californians.”
Privacy Rights Clearinghouse, a non-profit consumer education and advocacy group, reports that at least 500 million sensitive records have been compromised nationwide since 2005.
Since Simitian’s original privacy legislation (AB 700) was signed into law in 2002, more than 45 states have adopted legislation modeled on California’s statute. At least 14 other states, and Puerto Rico, also require security breach notifications to include specified information, just as SB 24 does.
For more information on SB 24, click here.
