With state security breach notification laws starting to show their age, California has again been asked to take the lead in updating these laws. Recently, California’s legislators attempted to push two new bills through. One of the bills was just vetoed, the other passed a few weeks ago.

SB 1166

The failed bill was SB 1166. SB 1166 attempted to clear up some of the confusion as to what information needed to be disclosed to consumers affected by a security breach of a computerized data system which maintained their personal information. For example, the bill would have required that the consumer be told in plain English: (1) the contact information for the entity providing this notice, (2) a list of the types of personal information that were the subject of the breach, (3) when the breach occurred (or an estimate thereof), (4) the date the consumer was first notified of the breach and whether such notice was delayed because of an investigation involving law enforcement, (5) a description of the breach incident and (6) a toll-free number and address for the major credit reporting agencies if the incident involved exposure of their social security number, driver’s license or California I.D. card. Furthermore, the reporting entity would have been required to inform the consumer on what remedial actions it has taken to protect the consumer’s information, to provide advice on steps that the individual may take to protect himself or herself (e.g., to advise the consumer to put a fraud alert on his or her credit through the toll-free number being provided) and to provide the Attorney General with a copy of such notice letter.

Prudently, on October 7, 2010, Governor Schwarzenegger provided notice that he would not sign this legislation into law. While these requirements could have ended any confusion as to what is actually required by law instead of what is recommended when providing notification of a security breach, California’s Office of Privacy Protection has long been suggesting that reporting entities notify affected individuals in the manner described above as a best practice when attempting to comply with California’s existing laws. As such, the Governor found this bill unnecessary. No doubt, with California’s current cash crunch, furloughs and reductions in force, SB 1166’s additional requirement to create a breach notice repository at the Attorney General’s office put the final nail in the coffin for this bill. Just the same, SB 1166 serves as an important reminder as to what businesses should consider doing to comply with California’s current law (CA Civ. Code 1798.82) and best industry practices when faced with a breach of their computerized data systems involving personal information.

SB 1268

For those demanding more legislation in this area, there is some light at the end of the tunnel (though it is more akin to that of a laser pointer than an all encompassing flood light). Senate Bill 1268 was just recently signed into law on September 29, 2010. This new law is much narrower in scope than SB 1166 as it is applicable only to transportation agencies operating electronic toll collection systems (e.g., toll roads using Fast Pass, EZ Pass, FastTrak, etc.).

SB 1268 restricts the transportation agency from collecting any information other than information which is necessary to perform its account functions. The bill’s author, State Senator Joe Simitian (D-Palo Alto) was quoted as saying, “There’s just no reason for a government agency to track the movements of Californians, let alone maintain that information in a database forever and ever.”

SB 1268 also prohibits a transportation agency from selling or providing personal information obtained from commuters who use their electronic toll collection systems except under limited circumstances. For example, if the transportation agency obtains the commuter’s express written consent to receive direct marketing communications, the transportation agency can provide the commuters contact information to such direct marketing agency in order to market the transportation agency’s and/or its business partners’ products and services.

Furthermore, it requires the transportation agency to conspicuously post a privacy policy on its Web site and to provide a copy of the same to its commuters. The privacy policy must contain the usual information (e.g., the policy effective date, what personal information it is collecting, who it is disclosing it to, how it notifies commuters of changes to the policy, how a commuter can make changes to the information collected about him or her). As a result of the passage of the Online Privacy Protection Act of 2003, California already has a law on its books which requires operators of commercial Web sites or online services that collect information to have and to post privacy policies which are similar to the one described above. However, if the commuter’s personal information was collected at the toll booth or over regular mail, the current law would not have otherwise been applicable to the transportation agency.

Additionally, SB 1268 requires that, after July 1, 2011, the transportation agency must delete any personal information collected from commuters within four and a half years after the closure date of the commuter’s billing cycle. Again, there is already a law in California (Cal. Civ. Code 1798.81) which requires businesses who collect personal information from California consumers to delete such information when the records are no longer required by the business to be retained. As such, it is unclear if a transportation agency retaining a commuters information, as permitted by SB 1268, for four and a half years is reasonable or otherwise compliant with 1798.81. So, this aspect of SB 1268 may be actually more helpful to the transportation agencies than to the commuters. The original legislation introduced by State Senator Simitian had limited this time period to 150 days.

In order to implement these relatively benign requirements, the law permits the transportation agencies to impose new administrative fees (i.e., raise the tolls). Of course, if the transportation agency fails to comply with this law, any person whose information was sold or provided in violation of the law is granted a direct cause of action against the transportation agency for damages, costs and attorneys’ fees.

So, in summary, no new sweeping laws in California have been passed regarding security breaches. However, industries should be warned that legislatures in active states, such as California, are identifying and will likely be continuing to single out with precision shots the major aggregators of personal information, such as their recent target, transportation agencies.