Optimal Security : the Lumension Blog

The California State Senate just passed Senate Bill (SB) 20 (warning: dense legalese), which augments the groundbreaking Data Breach law SB-1386. Sponsored by Sen. Joe Simitian (D-Palo Alto), who also sponsored SB-1386 in 2002, aims to strengthen existing privacy protection laws for California consumers. It is now headed to the State Assembly for approval.

Currently, organizations are only required to notify folks that a breach has occurred. As written, this legislation would mandate that “any agency, person, or business that must issue a security breach notification” must include additional information over and above current law and, when said breach impacts more than 500 residents, must inform the state Attorney General.

What and how much additional information? Well, here’s what I can get out it; the breach notification must meet the following requirements:

• Must be written in plain English
• Must include, at minimum, the following:
  • Name and contact info of the reporting entity (agency, person or business)
  • Personal information involved in the breach
  • When it happened
  • Whether there was a delay in notification because of investigations
  • A description of the breach
  • Estimated number of people affected
  • Contact info for credit reporting agencies
• Other discretionary data, including what the organization has done to protect those impacted and any advice on steps which those individuals might take to protect themselves.

As the sponsor said in one report, “The premise is simple. What you don’t know can hurt you. Ignorance is not bliss. And you can’t protect yourself if you don’t know you’re at risk.” Simitian said his latest proposal (SB 20), “is designed to make a good law even better.”

Overall, as a consumer / CA resident, this all sounds pretty reasonable to me. And it should help the good folks at the OSF DataLossDB give us better information about the true state of affairs in this arena; however, I doubt it will get Romanosky et al. to change their conclusions (warning: PDF), but that’s a whole other topic. In the meantime, if you do business in CA, it looks like you’re going to be subjected to some new breach notification rules (albeit, to my reading, not going way beyond other States’ laws), so get ready.