A Thing
The Green SheetGreen Sheet

Friday, February 15, 2008

State bill clarifies breach obligations

California merchants and their ISOs must adhere to the Payment Card Industry Data Security Standard. But they may soon have to contend with Senate Bill 364 as well.

On Jan. 31, 2008, with a 30 to 7 vote on the floor of the California State Senate in favor of SB 364, the state moved closer to strengthening its data breach notification law. It defines what information merchants must make publicly available if consumers' personal data are compromised in a breach.

SB 364 is meant to set data security standards for merchants to follow, and to then make required information available to consumers and state agencies as well, including law enforcement, to track and halt possible patterns of abuse.

California passed the initial security breach notification law in 2002, a combination of two bills – SB 1386 and Assembly Bill 700 – authored respectively by State Senator Steve Peace, D-El Cajon, and State Senator Joe Simitian, D-Palo Alto. That law went into effect on Jan. 1, 2003.

"The law has worked surprisingly well because it is simplicity itself," said Simitian in a speech on the floor of the Senate before the SB 364 vote on Jan. 31, 2008. "It says that whether a governmental entity or a business holds your data [and then] loses that data, it has to tell you so you can take steps to protect yourself.

"That simple tool has meant that millions of American consumers have known when their personal had been disclosed and they were at risk. Also it means there has been a powerful incentive on both government and business to improve their data security."

But the law failed to address what specific information public agencies, businesses or persons subject to that law needed to make public to consumers possibly affected by a security breach.

Thus, breach notification letters often lacked important information, such as the date of the breach or type of information that was compromised, leaving consumers in the dark about how to respond to the breach or what to do to protect themselves from identity theft.

Furthermore, there was no centralized location for the reporting of security breaches, meaning there was no way to assess or improve existing California security breach laws based on patterns of criminal activity or changing consumer practices.

SB 364 is designed to:

  • Establish what security breach information must be divulged to affected consumers
  • Direct the Office of Information Security and Privacy Protection at the Department of Consumer Affairs to collect, maintain and report security breaches to the California legislature
  • Require public agencies, businesses and others to submit sample copies of their breach notification letters to OISPP

According to Simitian, the bill:

  • Gives consumers more information to protect themselves from identity fraud
  • Gives businesses greater clarity about what their obligations are when making a data breach notification to consumers
  • Through the central repository of data breach information, gives law enforcement another tool for the fight against identity theft

Lawmakers removed the provision that would have information about every breach publicly posted on a Web site. It was reportedly not economically feasible in California's current budget crisis. Merchants will only have to supply OISPP with sample data breach notification letters. Actual data breach notices will not be posted.

With the successful passage of SB 364 in the California State Senate, the bill now moves to the Assembly, where SB 364 will be further debated and voted upon. If it passes the Assembly with a majority vote, the bill will then go to the governor's desk, where it will either be vetoed or signed into law.

Similar changes to data breach notification laws have already been made in Michigan, New Hampshire, North Carolina and New Jersey.

end of article

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Facebook
Twitter
LinkedIn
2022 2021 2020 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007
A Thing