Earlier this week, SC Magazine reported that the California State Senate passed SB-20. This is good news for consumers. California Senate Bill SB-20 requires:
"... any agency, person, or business that must issue a security breach notification pursuant to existing law to fulfill certain additional requirements pertaining to the security breach notification, as specified. The bill would also require any agency, person, or business that must issue a security breach notification to more than 500 California residents pursuant to existing law to electronically submit that security breach notification to the Attorney General."
Current laws require companies and agencies to tell affected consumers only that a breach occurred, and don't require the disclosure of details about the breach (e.g., number of consumers affected, types of data lost or stolen, events that led up to the breach, status of the post-breach investigation, etc.). While California has led the nation in passing consumer-friendly identity-theft legislation, this new legislation fills a critical gap. The additional requirements in California Senate Bill SB-20:
"The security breach notification shall include, at a minimum, the following information:
(A) The name and contact information of the reporting agency subject to this section.
(B) A list of the types of personal information, as defined in subdivision (g), that were or are reasonably believed to have been the subject of a breach.
(C) The date, estimated date, or date range within which the breach occurred, if that information is possible to determine at the time the notice is provided, and the date of the notice.
(D) Whether the notification was delayed as a result of a law enforcement investigation.
(E) A general description of the breach incident.
(F) The estimated number of persons affected by the breach.
(G) The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a bank account or credit card number, a social security number, or a driver's license or California identification card number."
In order to make timely and effective decisions to protect their sensitive personal data, consumers need to be fully informed about data breaches. In my experience, IBM's breach notice never disclosed the number of records lost/stolen or the number of consumers affected by its February 2007 breach. Nor did IBM disclose the results of its breach investigation, or even if it fired/reprimanded the vendor involved.
Earlier this month, my wife received a breach notice from her credit union. That notice lacked details about both the breach and the follow-up investigation.
The California Senate Bill SB-20 is a good bill. Thanks to California State Democrat Senator Joe Simitian for introducing SB-20. (He also sponsored SB-1386, the landmark 2003 identity theft legislation that paved the way for other states' identity theft legislation.) I hope that the California Assembly approves it and that Governor Schwarzenegger signs it. I hope that other states pass similar legislation. If you agree, tell your elected officials today.