With state security breach notification laws starting to show their age, California has again been asked to take the lead in updating these laws. Recently, California’s legislators attempted to push two new bills through. One of the bills was just vetoed, the other passed a few weeks ago.
The failed bill was SB 1166. SB 1166 attempted to clear up some of the confusion as to what information needed to be disclosed to consumers affected by a security breach of a computerized data system which maintained their personal information. For example, the bill would have required that the consumer be told in plain English: (1) the contact information for the entity providing this notice, (2) a list of the types of personal information that were the subject of the breach, (3) when the breach occurred (or an estimate thereof), (4) the date the consumer was first notified of the breach and whether such notice was delayed because of an investigation involving law enforcement, (5) a description of the breach incident and (6) a toll-free number and address for the major credit reporting agencies if the incident involved exposure of their social security number, driver’s license or California I.D. card. Furthermore, the reporting entity would have been required to inform the consumer on what remedial actions it has taken to protect the consumer’s information, to provide advice on steps that the individual may take to protect himself or herself (e.g., to advise the consumer to put a fraud alert on his or her credit through the toll-free number being provided) and to provide the Attorney General with a copy of such notice letter.
Prudently, on October 7, 2010, Governor Schwarzenegger provided notice that he would not sign this legislation into law. While these requirements could have ended any confusion as to what is actually required by law instead of what is recommended when providing notification of a security breach, California’s Office of Privacy Protection has long been suggesting that reporting entities notify affected individuals in the manner described above as a best practice when attempting to comply with California’s existing laws. As such, the Governor found this bill unnecessary. No doubt, with California’s current cash crunch, furloughs and reductions in force, SB 1166’s additional requirement to create a breach notice repository at the Attorney General’s office put the final nail in the coffin for this bill. Just the same, SB 1166 serves as an important reminder as to what businesses should consider doing to comply with California’s current law (CA Civ. Code 1798.82) and best industry practices when faced with a breach of their computerized data systems involving personal information.