SB 364: Security Breach Notification Enhancements (2007)
Summary
This bill would make relatively modest but helpful changes to the current security breach notification statutes to enhance consumer and Legislative knowledge about, and understanding of, security breaches. Similar changes have already been made in Michigan, New Hampshire, North Carolina and New Jersey, and have been considered by the California Legislature as minor provisions in prior, more comprehensive security breach reform proposals.
After this bill passed the Legislature, Senator Simitian sent a letter to the Governor urging his signature on this bill.
For more information, you can read the SB 364 "Fact Sheet" prepared by a member of Senator Simitian's staff.
Final Status and Text
SB 364 is no longer active. Its final status was:Vetoed by the Governor
You can read its final text on the Legislature's Bill Information site.
Background Information
Need for the Bill
Although California has a security breach notification law (A.B. 700, Simitian/S.B. 1386, Peace - 2002), we do not require public agencies, businesses, or persons subject to that law to provide any standard set of information about the breach to consumers. As a result, security breach notifications letters often lack important information – such as the time of the breach or type of information that was breached – or are confusing to consumers. This leaves consumers uncertain about how to respond to the breach or protect themselves from identity theft, and leaves businesses and government entities that have experienced a breach unsure about what to put in the notices they send consumers.
What the Bill Does
In a nutshell this bill establishes standard, core content—such as the type of information breached and time of breach—for security breach notices in California.
Studies and Reports
- “Federal Trade Commission – 2006 Identity Theft Survey Report,” by Synovate, November 2007, pages 54-57 – found that 9 percent of survey participants (national sample) had been notified of a security breach.
- “Security Breach Notification Laws: Views from Chief Security Officers,” December 2007, Samuelson Law, Technology & Public Policy Clinic – found uniform content in security breach notices and centralized reporting would improve the notification process.
- “Data Breach Notification Laws, State By State,” by Scott Berinato of CSO Magazine
Samples of Security Breach Notification Letters—Good and Bad
- Promising Practice: This PDF from Lexis-Nexis points in the direction California should go. This file contains information reported to the State of New York under its security breach notification law, including a cover letter to state authorities and an excellent sample notification letter that went to consumers.
- Needs work: The letters linked in this PDF could be improved. All the letters contained herein are missing vital information that would help consumers understand how to respond to the breach.
How Can I Help?
You can send a letter in support of SB 364 to Senator Simitian. Staff has drafted a sample letter you can use. Edit it as necessary.
News & Press Releases about SB 364
08/31/2011 - Simitian's Consumer Privacy Bill Signed Into Law08/19/2011 - Simitian's Consumer Privacy Protection Bill Passed By Legislature, Goes to Governor For Approval
04/14/2011 - Simitian's Consumer Privacy Protection Bill Passed By Senate
05/20/2009 - Privacy Piracy interview with California State Senator Joe Simitian, 11th District
02/01/2008 - Senator Simitian Speaks on SB 364 - Data Breach Notification
01/31/2008 - Senate Strengthens California Privacy Protection Measure