Skip to content

April 14, 2011

For More Information, Contact:
Melissa Figueroa (916) 651-4011 .(JavaScript must be enabled to view this email address)
Phil Yost (650) 688-6384 .(JavaScript must be enabled to view this email address)


SACRAMENTO – The California State Senate voted Thursday to approve Senate Bill 24 by State Senator Joe Simitian (D-Palo Alto).  Senate Bill 24 strengthens and improves the state’s existing security breach notification requirements.

Current California law requires data holders to notify individuals when there has been a breach of personal information, but does not indicate what information should be contained in the notification. Simitian says SB 24 is “the logical next step.”

“No one likes to get the news that personal information about them has been stolen,” said Simitian. “But when it happens, people are entitled to get the information they need to decide what to do next.”

California’s current data breach law, authored by Simitian in 2002, requires companies and state government agencies to notify individuals when their personal information has been compromised. Senate Bill 24 would strengthen the existing law by doing the following:

• Establish standard, core content for data breach notification – such as the type of information breached, the time of breach and a toll-free telephone number of major credit reporting agencies for security breach notices in California; and,

• Require public agencies, businesses and people subject to California’s security breach notification law to send an electronic copy of the breach notification to the Attorney General if more than 500 Californians are affected by a single breach.

A survey by the Samuelson Law, Technology & Public Policy Clinic at UC Berkeley found that 28 percent of data breach victims receiving a security breach notification letter “do not understand the potential consequences of the breach after reading the letter.”

Privacy Rights Clearinghouse, a non-profit consumer education and advocacy group, reports that at least 500 million sensitive records have been compromised nationwide since 2005.

In the years since Simitian’s original privacy legislation (AB 700) was signed into law, more than 40 states have adopted similar legislation. At least fourteen other states and Puerto Rico now require security breach notification letters to include specified types of information similar to the requirements of SB 24.

“This new measure makes modest but helpful changes to the law.  It will also give law enforcement the ability to see the big picture, and a better understanding of the patterns and practices developing in connection with identity theft,” said Simitian.

“The changes proposed to the law by Senator Simitian’s bill enhance identity theft protection for Californians,” said Richard Holober, Executive Director of the Consumer Federation of California. “We’re hopeful that the Legislature will once again continue to move this bill forward, and that the Governor Brown will sign it into law.”

Simitian’s prior efforts to upgrade security breach notification were vetoed by Governor Schwarzenegger. Simitian said he reintroduced the measure in hopes that with a new administration “a signature by the Governor may be possible this year.”

Senate Bill 24 now moves to the State Assembly for consideration.

For more information on Senate Bill 24, and a look at the other versions of the bill introduced in past years, visit