California bill spells out what companies have to say about data breaches
New legislation seeks to broaden scope of state's landmark breach-notification law
IDG News Service - A co-author of the landmark data-breach notification law that took effect in California six years ago is now looking to add new requirements spelling out what companies have to tell affected individuals about breaches.
The new bill, which was introduced by state Sen. Joe Simitian in December and is officially known as S.B. 20, also would require companies to report any data breaches affecting more than 500 California residents to the state's attorney general.
Speaking at a symposium on breach notification issues that was held last Friday at the University of California's Berkeley campus, Simitian contended that S.B. 20 would give "greater clarity and specificity as to the content of security breach notices, which I think is long past due."
While some breach notification letters do a good job of telling users what happened to their data, a "substantial number" do not, Simitian said, adding that the lack of information leaves consumers "more confused than informed."
California's S.B. 1386 breach-notification law was the nation's first. It requires that consumers be notified when unencrypted financial data is lost or stolen from systems and is credited with shining a light on the issue of data privacy and inspiring similar legislation in 43 other states.
In fact, Simitian said that one of his goals in helping to write the 2003 bill was to help people outside of California. "This goal has been more fully realized than we could have ever anticipated at the time," he added.
But lawyers working on data breach cases estimate that perhaps only one in 10 breaches are ever made public, according to Fred Cate, a law professor at Indiana University. "We actually have very poor data on data breaches," he told the attendees at the symposium.
Part of the problem, according to Cate, is that while consumers must be notified of breaches, most states don't require that any notifications be made to a central authority.
That would change in California if S.B. 20 is signed into law. And by requiring the attorney general's office or another government agency to keep track of breaches, state residents and officials would get "a better understanding of the nature and scope of the problem," Simitian said.
Some states already require that breach notification letters be sent to a designated state agency, but Simitian's bill would centralize that information in the most populous state in the U.S., potentially creating the country's largest repository of breach data.
Simitian said he hopes to see California Gov. Arnold Schwarzenegger sign S.B. 20 by year's end. "That would make a good law, a groundbreaking law, even better," he said.
The California law was just expanded in January to cover breaches of medical and insurance data.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts