The Green Sheet Online Edition
February 25, 2008 • Issue 08:02:02
State bill clarifies breach obligations
California merchants and their ISOs must adhere to the SB 364, the state moved closer to strengthening its data breach notification law.
It defines what information merchants must make publicly available if consumers' personal data are compromised in a breach.
SB 364 is meant to set data security standards for merchants to follow, and to then make required information available to consumers and state agencies as well, including law enforcement, to track and halt possible patterns of abuse.
California passed the initial security breach notification law in 2002, a combination of two bills - SB 1386 and Assembly Bill 700 - authored respectively by State Senator Steve Peace, D-El Cajon, and State Senator Joe Simitian, D-Palo Alto. That law went into effect on Jan. 1, 2003.
"The law has worked surprisingly well because it is simplicity itself," said Simitian in a speech on the floor of the Senate before the SB 364 vote on Jan. 31, 2008.
"It says that whether a governmental entity or a business holds your data [and then] loses that data, it has to tell you so you can take steps to protect yourself.
"That simple tool has meant that millions of American consumers have known when their personal had been disclosed and they were at risk.
"Also it means there has been a powerful incentive on both government and business to improve their data security."
But the law failed to address what specific information public agencies, businesses or persons subject to that law needed to make public to consumers possibly affected by a security breach.
Thus, breach notification letters often lacked important information, such as the date of the breach or type of information that was compromised, leaving consumers in the dark about how to respond to the breach or what to do to protect themselves from identity theft.
Furthermore, there was no centralized location for the reporting of security breaches, meaning there was no way to assess or improve existing California security breach laws based on patterns of criminal activity or changing consumer practices.
SB 364 is designed to:
According to Simitian, the bill:
- Gives consumers more information to protect themselves from identity fraud
- Gives businesses greater clarity about what their obligations are when making a data breach notification to consumers
- Through the central repository of data breach information, gives law enforcement another tool for the fight against identity theft
Lawmakers removed the provision that would have information about every breach publicly posted on a Web site. It was reportedly not economically feasible in California's current budget crisis. Merchants will only have to supply OISPP with sample data breach notification letters. Actual data breach notices will not be posted.
With the successful passage of SB 364 in the California State Senate, the bill now moves to the Assembly, where SB 364 will be further debated and voted upon. If it passes the Assembly with a majority vote, the bill will then go to the governor's desk, where it will either be vetoed or signed into law.
Similar changes to data breach notification laws have already been made in Michigan, New Hampshire, North Carolina and New Jersey.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.