Skip to content

FOR IMMEDIATE RELEASE                    
August 19, 2010

For More Information, Contact:
Melissa Figueroa (916) 651-4011
Phil Yost (650) 688-6384


SACRAMENTO – The California Legislature has voted to enhance consumer privacy protection by passing Senate Bill 1166, by State Senator Joe Simitian (D-Palo Alto), which strengthens the notification required when databases of personal information are compromised. The bill now moves to the Governor’s desk.

California’s existing data breach law, authored by Simitian in 2002, requires companies and state government agencies to notify individuals when their personal information has been compromised. Senate Bill 1166 takes “the next logical step,” said Simitian, by specifying what information must be included in the notification, so that individuals might take steps to protect themselves against identity theft.

“No one likes to get the news that personal information about them has been stolen,” said Simitian. “But when it happens, people are entitled to get the information they need to decide what to do next.” Current notifications of data breaches vary widely in the information they provide and in their helpfulness to individuals who are affected.

Senate Bill 1166 would establish standard content for data breach notification, including:
    —A general description of the incident;
    —The type of information breached;
    —The date and time of the breach; and,
    —A toll-free telephone number of major credit reporting agencies for security breach notices in California.

The law also requires public agencies, businesses and people subject to California’s security breach notification law to send an electronic copy of the breach notification to the Attorney General if more than 500 Californians are affected by a single breach.

“This new measure makes modest but helpful changes to the law.  It will also give law enforcement the ability to see the big picture and a better understanding of the patterns and practices developing in connection with identity theft,” said Simitian.

A survey by the Samuelson Law, Technology & Public Policy Clinic at UC Berkeley found that 28 percent of data breach victims receiving a security breach notification letter “do not understand the potential consequences of the breach after reading the letter.”

Privacy Rights Clearinghouse, a non-profit consumer education and advocacy group, reports that at least 347 million sensitive records have been compromised nationwide since 2005.

Senate Bill 1166 is a reintroduction of Simitian’s Senate Bill 20 (2009), which was vetoed last fall by the Governor. Simitian said he reintroduced the measure after conversations with the Governor’s office persuaded him that “a signature by the Governor seems possible this year.”

“The changes proposed to the law by Senator Simitian’s Senate Bill 1166 enhance identity theft protection for Californians,” said Richard Holober, Executive Director of the Consumer Federation of California. “We’re hopeful that the Governor will sign it into law this year.”

In the years since Simitian’s original privacy legislation, Assembly Bill 700, was signed into law, more than 40 states have adopted similar legislation. At least 14 other states and Puerto Rico now require security breach notification letters to include specified types of information similar to the requirements of SB 1166.

For more information on Senate Bill 1166, visit