Skip to content

FOR IMMEDIATE RELEASE                     
January 20, 2011

For More Information, Contact:
Melissa Figueroa (916) 651-4011 .(JavaScript must be enabled to view this email address)
Phil Yost (650) 688-6384 .(JavaScript must be enabled to view this email address)


SACRAMENTO – State Senator Joe Simitian announced today he has introduced a bill to enhance consumer privacy protection by strengthening the notification requirements when databases of personal information are compromised.

California’s existing data breach law, authored by Simitian in 2002, requires companies and state government agencies to notify individuals when their personal information has been hacked into, stolen or lost. Senate Bill 24 takes “the next logical step,” said Simitian, by specifying what information must be included in the notification, so that individuals can better determine how to protect themselves against identity theft.

“The unwelcome news that personal information has been stolen should be accompanied by information that enables individuals to decide what steps to take next,” said Simitian. Current notifications of data breaches vary widely in the information they provide and in their helpfulness to individuals who are affected.

The bill would establish standard content for data breach notification, including:
    • A general description of the incident.
    • The type of information breached.
    • The date and time of the breach.
    • A toll-free telephone number of major credit reporting agencies for security breach notices in California.

The law also requires public agencies, businesses and people subject to California’s security breach notification law to send an electronic copy of the breach notification to the Attorney General if more than 500 Californians are affected by a single breach.

“This new measure makes modest but helpful changes for consumers,” said Simitian. “By requiring notice to the Attorney General, it will enable law enforcement to identify patterns of data theft and to understand the scope of the threat.”

Although data breach victims are entitled to receive a security breach notification letter, a survey by the Samuelson Law, Technology & Public Policy Clinic at UC Berkeley found that 28 percent of them “do not understand the potential consequences of the breach after reading the letter.”

Privacy Rights Clearinghouse, a non-profit consumer education and advocacy group, reports that at least 500 million sensitive records have been compromised nationwide since 2005.

Senate Bill 24 is a reintroduction of legislation that previously was vetoed by Governor Arnold Schwarzenegger. “I’m hoping a new administration will give this issue a fresh look,” Simitian said.

“The changes proposed to the law by Senator Simitian’s legislation enhance identity theft protection for Californians,” said Richard Holober, Executive Director of the Consumer Federation of California. “We’re hopeful the bill can be signed into law this year.”

In the years since Simitian’s original privacy legislation, Assembly Bill 700, was signed into law, 46 other states, as well as the District of Columbia, Puerto Rico and the U.S. Virgin Islands, have enacted laws that are modeled on the California statute. At least 14 other states and Puerto Rico now require security breach notification letters to include specified types of information similar to the requirements of SB 24. Most of these states also require notification of a state regulator, such as the Attorney General, as well as individuals.

For more information on SB 24, visit