Skip to content

January 31, 2008

For More Information, Contact:
Hema Sareen Mohan (650) 688-6384


SACRAMENTO - The California State Senate passed Senate Bill (SB) 364, authored by State Senator Joe Simitian (D-Palo Alto), which would require that consumers receive a clear, informative notification letter when personal data kept by a business or public agency has been stolen. It also requires the state to establish a central reporting site to catalog security breaches. The vote of 30-7 moves the bill to the State Assembly.
Businesses and public agencies already are required to notify people whose personal information might have fallen into the wrong hands, pursuant to legislation Simitian authored in 2002. But there is no standard set for what information must be included in the notice. Some businesses let people know what has happened and what they can do to protect themselves. Others have sugarcoated the news, or buried it in legal jargon, with the result that people don’t understand their vulnerability to identity theft.
“No one likes to get the news that information about them has been stolen,” said Simitian, “but when it happens, people are entitled to get a notice they can understand, and that helps them decide what to do next.”
“The premise is simple,” added Simitian. “What you don’t know can hurt you. Ignorance is not bliss.  And you can’t protect yourself if you don’t know you’re at risk.”  His latest proposal (SB 364), “is designed to make a good law even better,” said Simitian.
Current law requires that a business or government agency that loses personal data provide notice to the individuals whose information has been compromised.  More than 40 states have adopted similar legislation since that time, largely based on the California measure.
Simitian noted that identity theft has been number one on the list of consumer fraud complaints to the Federal Trade Commission for seven years running. The Privacy Rights Clearinghouse reports that since 2005, over 217 million records have been breached nationally.
SB 364 lists the information that a security breach notification must contain. It includes:

  • the toll-free telephone numbers of the major credit reporting agencies, to allow consumers to put a hold on their credit;
  • the name and contact information of the business that has experienced a breach;
  • the type of information, such as names and Social Security numbers, that might have been taken;
  • the date of the breach and of its discovery;
  • a general description of the breach;
  • the estimated number of persons affected.

A standard format for notifications was one of two major recommendations in a recent study by the Samuelson Law, Technology & Public Policy Clinic at the University of California - Berkeley School of Law. The second was the establishment of a central clearinghouse for security breach information. A site to which all security breaches must be reported would enable law enforcement and public policy makers to better understand the extent of the problem, and see any patterns that might enable them to contain it.
“Senator Simitian’s amendments will reduce the incidence and severity of breaches, because security professionals learn from incidents at other organizations, and take action at their own companies to fix problems or recognize previously unforeseen risks” said Chris Hoofnagle, Senior Staff Attorney at the Samuelson Clinic.
Simitian’s 2002 authorship of the California security breach notification law has been widely recognized.  In 2003, Scientific American recognized him as on of the “Scientific American 50 Leaders in Technology.”  And in 2007, he was honored by the online security industry with an award for “Excellence in Public Policy” at the annual RSA security conference.
For more information about SB 364, go to and click on the link for Legislation.