California Gov. Jerry Brown signed into law a bill that defines exactly what organizations have to disclose in case of a data breach.
has updated its data breach notification law to further define what
organizations have to do in case customer data is stolen.
bill, SB-24, updates California's current data breach notification law by
requiring organizations to include in the breach notification letters the
specifics of the security incident and advice on steps customers should take.
The bill also includes provisions mandating that if the security breach
affected 500 or more people, the organization must submit a copy of the letter
to the state attorney general's office. The bill was signed into law Aug. 31 by
Gov. Jerry Brown and will take effect on Jan. 1, 2012.
breach notification letters must include information such as the type of
personal information exposed, a description of what happened, time of the
breach, and toll-free telephone numbers and addresses of major credit reporting
agencies in California, according to the new law. The original law did not
specify what information had to be included in the letters. The new law also
requires the letters to be sent "in the most expedient time possible and
without unreasonable delay."
one likes to get the news that personal information about them has been
stolen," said State Sen. Joe Simitian (D), the bill's sponsor. "But
when it happens, people deserve to get the information they need to decide what
to do next."
28 percent of data breach victims receiving a security breach notification
letter "do not understand the potential consequences of the breach after
reading the letter," Simitian said, referring to a recent survey by the
Samuelson Law, Technology & Public Policy Clinic at the University of
organization that stores any kind of personal information must send out
notification letters as soon as it discovers a security breach in which
"unencrypted personal information was, or is reasonably believed to have
been, acquired by an unauthorized person," according to the new law. If the law
enforcement agency involved decides that disclosing the breach and notifying
the victims would impede the criminal investigation into the incident, then the
notification "may be delayed."
we've see an increase in pressure for companies involved in data breach to
report increasingly specific data, and in an increasingly timely manner, this
effort from California legislation appears poised to do just that," wrote
Cameron Camp, a security researcher at ESET, on the ESET Threat blog.
was the first state to pass a law eight years ago requiring companies to alert
California residents if their personal data was accessed illegally in a data
breach. Since then, nearly all the other states have followed suit with their
versions of that law. All the states have slightly different requirements,
resulting in President Obama to request a national
data breach notification law
so organizations don't need to negotiate a
"patchwork of 47 state laws." There are multiple
data breach notification bills
currently circulating in the House of
Representatives and the Senate.
is often at the forefront of consumer privacy. Along with the first data breach
notification law, the state legislature was considering a "Do
" law to restrict how Web services and companies collect data
online for California residents.
though the law applies only to California residents affected by the breach, it will
have an impact across state lines. Organizations are not likely to issue two
sets of letters, one for California residents and one for other states, after a
data breach. Organizations will have to adjust their data breach notification
policies to make sure they are including the information required under the law
for future incidents.
had been vetoed twice by former Gov. Arnold Schwarzenegger. Schwarzenegger had
said there was no proof the additional information in the letter would actually
help consumers. He also did not want the attorney general's office to become a
"repository" for breach notifications.
and New Hampshire require organizations to notify the state attorney general in
case of a data breach affecting their residents.
had said in the past that notifying the attorney general would give law
enforcement officials the information needed to identify patterns in data theft
to define the scope of the threat.
Rights Clearinghouse estimates that at least 500 million sensitive records have
been compromised nationwide since 2005. There have been a number of sensitive
records compromised in 2011 alone, with multiple breaches on Sony servers and
various third-party organizations hit by random attackers.