GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Accelerating cash advance


Industry Update

On track with a new SAQ

Turbulent negotiations for Hypercom, Ingenico

RevolutionCard, Fifth Third stir the processing pot

State bill clarifies breach obligations

Mobile moves up payments line

Jazz up your game at SEAA


NCR debuts SelfServ ATMs

Tracy Kitten

Beacon shining on MLSs

The fight for security - Adapting to new threats

Chris Yaldezian et al
Sterling Commerce

Industry Leader

Marla Knutson –
A glowing payments gem


Cool not enough to propel contactless

Patti Murphy
The Takoma Group


Street SmartsSM:
Back to basics

Dee Karawadra
Impact PaySystem

Merchant tutoring time

Theodore Svoronos
Group ISO

Recruiting is an art form

Nancy Drexler
SignaPay Ltd.

Portfolio sale pitfalls

Adam Atlas
Attorney at Law

ISO compliance challenge

David Mertz
Compliance Security Partners LLC

Company Profile

myARCworld Inc.

New Products

Online survival in the PCI wilderness

PCI Toolkit
CSRSI: The Payment Advisors


The art of charm





Resource Guide


A Bigger Thing

The Green Sheet Online Edition

February 25, 2008  •  Issue 08:02:02

previous next

State bill clarifies breach obligations

California merchants and their ISOs must adhere to the SB 364, the state moved closer to strengthening its data breach notification law.

It defines what information merchants must make publicly available if consumers' personal data are compromised in a breach.

SB 364 is meant to set data security standards for merchants to follow, and to then make required information available to consumers and state agencies as well, including law enforcement, to track and halt possible patterns of abuse.

California passed the initial security breach notification law in 2002, a combination of two bills - SB 1386 and Assembly Bill 700 - authored respectively by State Senator Steve Peace, D-El Cajon, and State Senator Joe Simitian, D-Palo Alto. That law went into effect on Jan. 1, 2003.

"The law has worked surprisingly well because it is simplicity itself," said Simitian in a speech on the floor of the Senate before the SB 364 vote on Jan. 31, 2008.

"It says that whether a governmental entity or a business holds your data [and then] loses that data, it has to tell you so you can take steps to protect yourself.

"That simple tool has meant that millions of American consumers have known when their personal had been disclosed and they were at risk.

"Also it means there has been a powerful incentive on both government and business to improve their data security."

But the law failed to address what specific information public agencies, businesses or persons subject to that law needed to make public to consumers possibly affected by a security breach.

Thus, breach notification letters often lacked important information, such as the date of the breach or type of information that was compromised, leaving consumers in the dark about how to respond to the breach or what to do to protect themselves from identity theft.

Furthermore, there was no centralized location for the reporting of security breaches, meaning there was no way to assess or improve existing California security breach laws based on patterns of criminal activity or changing consumer practices.

SB 364 is designed to:

According to Simitian, the bill:

Lawmakers removed the provision that would have information about every breach publicly posted on a Web site. It was reportedly not economically feasible in California's current budget crisis. Merchants will only have to supply OISPP with sample data breach notification letters. Actual data breach notices will not be posted.

With the successful passage of SB 364 in the California State Senate, the bill now moves to the Assembly, where SB 364 will be further debated and voted upon. If it passes the Assembly with a majority vote, the bill will then go to the governor's desk, where it will either be vetoed or signed into law.

Similar changes to data breach notification laws have already been made in Michigan, New Hampshire, North Carolina and New Jersey.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios