Businesses May Face New Data Security Breach Notice Requirements
February 2, 2011 No Comments
Businesses that conduct e-commerce should pay close attention to a new bill recently introduced in the California State Senate. State Senator Joseph Simitian is taking another crack at heightened data security breach notice requirements with his recent introduction of Senate Bill 24, a duplicate of last session’s Senate Bill 1166, which was in turn nearly identical to 2009’s Senate Bill 20.
The purpose of this legislation is to strengthen requirements of notices of database security breaches. The first such legislation was enacted in 2002, requiring any person or entity that maintained a data system to send notice of a breach of the system to any California resident whose data was taken by another without authorization. Cal. Civil Code § 1798.82.
As more consumer information is placed online, unauthorized attempts to access such information are increasing as well. According to the Privacy Rights Clearinghouse, since 2005 there have been over 500 million breaches of sensitive consumer information such as medical records, social security numbers, and credit cards. <http://www.privacyrights.org/500-million-records-breached>
Senator Simitian’s most recent effort is an attempt to standardize what the notice must say. Senate Bill 24 requires the security breach notice to include, among other things, a general description of the type of information breached, a general description of the breach, and toll-free telephone numbers of major credit reporting agencies if the breach exposed a bank account or credit card number, social security number, driver’s license, or California identification card number.
If the breach involves more than 500 California residents, it also requires the person or entity or agency to provide notice to the attorney general.
Both Senate Bill 20 and Senate Bill 1166 were supported by many consumer protection groups but opposed by some companies and industry associations that argued the additional notification requirements were unnecessary and unhelpful to consumers. Both bills were passed by the legislature, but vetoed by Governor Schwarzenegger.
With a new Democratic governor having taken office, it appears likely this time around that the bill will be signed into law, adding to the notice requirements companies and individuals will face after breaches of their data systems. You can monitor SB 24’s progress on the Official California Legislative Information website.