Society of Payment Security Professionals - Payment Security Blog

California Taking a Step Back?

California has long been credited with the creation of the state breach notification law. For many in the security world breach notification and SB 1386 are practically synonymous. Over the years since its passage, however, breach notification laws have undergone a number of evolutionary changes - central reporting requirements, requiring organizations to provide details of the breach and the type of information that was potentially compromise are among those changes. The notion behind including these elements in the notification requirements is that a citizen that is well-informed is well-armed. Knowing these details can help people that have been caught in a data breach keep track of their financial accounts and watch out for potential fraud. The central reporting structure is becoming much more common, as the percentage of compromised entities actually reporting breaches has long been suspect.

With these notions in mind, state Sen. Joe Simitian (D), the author of the original Breach Notification Law in California, proposed an update to the law.  In this update, all organizations that suffered a compromise of more than 500 records would be required to report the breach to the state’s Attorney General.  Additionally, the organizations would be required to provide more detail to consumers, including when the breach occurred, what type of information was compromised, and how they can monitor their credit for suspicious activities.   There was no opposition to the bill, as the removal of a clause requiring that companies disclose to affected individuals the number of records compromised was eliminated from the bill.  With that change, the California Chamber of Commerce removed their opposition.  The bill passed the state legislative bodies and had been sent to the Governor for signature.   The Governor, however, vetoed the bill saying that he saw no additional benefit to consumers as a result of the new requirements and didn’t understand why the Attorney General’s office should begin keeping numbers on the breaches.

Gov. Schwarzenegger has vetoed a previous data protection law, though admittedly that one was far more divisive than the current proposition.  It is questionable, though, why the Governor would veto a bill that even the retailers didn’t oppose.  This is the same state that is considering banning big screen High Definition televisions because of their environmental impact. This move, in my opinion, seriously tarnishes California’s image as a standard bearer in consumer data protection.  Though I haven’t been a proponent of these laws on the whole, the public and the government view data breach notification laws as a critical component in the fight against identity theft and financial fraud.  Additionally, since public policy tends to be incremental in nature, it is to be expected that the original law would be adjusted and “tweaked” to address newly identified weaknesses (such as failure to report breaches) in the existing legislation.  By failing to enact this law, the Governor has lost California’s lead in this area.  In fact, an argument can be made that, while other states are racing ahead in the protection of consumer data, California is ceding its leadership position.