Computerworld - A proposed California law that would have significantly broadened the scope of an existing state identity theft law has been quietly amended in what appears to be a concession to groups that have been lobbying against it.
The bill in question is called Senate Bill 1279 and was originally proposed by California Sen. Debra Bowen on Feb. 13. The bill seeks to widen the scope of an existing California identity theft law that went into effect last July.
Under that law, any company that maintains computerized databases containing certain pieces of personal information about California residents is obligated to inform those individuals of any security breach in which unencrypted personal data may have been compromised.
Bowen's proposed bill sought to expand the scope of that legislation by making it mandatory for companies to report breaches involving not just computerized data, but data maintained on other media as well, such as voice systems and paper.
Critics had argued against the provision by saying that it would prove extremely hard for companies to comply with because of the vast amount of data that would need to be protected. The proposed law would have also required companies to exercise an unfeasible level of control over employee activities and workspaces, according to critics.
In what appears to be a response to such concerns, the proposed bill was amended last Thursday to once again apply only to computerized data.
Two other important provisions in the proposed bill remain unchanged, however. Companies that suffer a security breach involving personal information are still required to provide two years of credit-monitoring services, without charge, to each affected individual. The bill would also require credit reporting agencies to allow consumers to add a password to their credit files that prospective users of that report would need to match before getting access to it.
According to a press release dated Feb. 17, the impetus for SB 1279 arose in part from two separate incidents earlier this year. In one incident, Bank of America Corp. inadvertently mailed 3,800 tax forms containing financial information and Social Security numbers to the wrong individuals. The other incident involved the hacking of a computer in the state Employment Development Department containing personal information for about 90,000 people.
Evan Goldberg, Bowen's chief of staff, said no concessions were made to opponents of the bill.
"The amendments restore existing law relative to computerized data, but create a new, separate section for non-computerized data," Goldberg said in an e-mail. As a result the amendment doesn't "substantively affect" thecircumstances by which a business would have to notify people in case of a security breach, he said.
Read more about Gov't Legislation/Regulation in Computerworld's Gov't Legislation/Regulation Topic Center.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
