California was the first state in the nation to enact a breach notification law. The 2002 law required organizations that store records with consumer information -- both companies and government agencies -- to notify consumers when their sensitive personal information was lost or stolen. Last week, California Governor Brown signed into law SB 24. What's new about SB 24:
"Specifically, SB 24 establishes standard, core content for data breach notifications including a general description of the incident, the type of information breached, the time of the breach, and toll-free telephone numbers and addresses of the major credit reporting agencies in California.... In addition, SB 24 also requires data holders to send an electronic copy of the notification to the Attorney General, if a single breach affects more than 500 Californians."
SB 24 (Adobe PDF) goes into effect January 1, 2012.
This is good news for consumers, as other states' breach notification laws have followed California's lead. I believe it is also good because too often, consumers have no idea what to do next when they receive a breach notificaton letter. Too many don't know about the credit reporting agencies: Experian, Equifax, and TransUnion; nor the consumer's responsibility to keep their credit reports accurate; and the need to monitor their credit reports after a breach/theft.
Since writing this blog I have talked with many consumers. A breach notification letter is often a wake-up call that he/she needs to take action to protect their sensitive personal and financial information.
Moreover, the InfoLaw Group appropriate emphasized that SB 24:
"... adds California to the list of states and other jurisdictions that require some type of regulator notice in the event of certain types of data security breaches... Other states that require some form of regulator notice in some circumstances for certain kinds of entities (sometimes for a breach, and sometimes to explain why an entity has determined there was no breach) include Alaska, Arkansas, Connecticut, Hawaii, Indiana, Louisiana, Maine, Maryland, Massachusetts, Missouri, New Hampshire, New Jersey, New York, North Carolina, Puerto Rico, South Carolina, Vermont, and Virginia."
Don't see your state on this list? Write to your elected officials and demand an improved breach notification law for your state.
Sadly, only four states' governments post online the breach notifications they receive: Maryland, New Hampshire, Vermont and Wisconsin. Online postings are a good way for consumers to verify the breach notifications they receive.