By Kelly Jackson Higgins
Aug 25, 2010
A privacy breach notification bill recently passed by the California
legislature would expand the state's existing law for how organizations
notify consumers of a data breach.
California's existing data breach law does not specify what the breach
notification should include information-wise. "This bill is intended to
fill that gap by establishing standard, core content for breach
notification letters," reads the California Senate Bill 1166, which was
first introduced to the legislature in March.
Whether the new bill becomes law is up to Governor Arnold
Schwarzenegger, who had previously vetoed a similar data breach bill
because it put too much "unnecessary mandates on businesses without a
corresponding consumer benefit," he said at the time.
The new bill, among other things, requires that the company include the
type of personal information exposed in the breach; the date or
estimated date of the breach; a general description of the incident
itself; and toll-free numbers and addresses for credit reporting
agencies if the breach included social security numbers, driver's
licenses, or California ID cards. The breached organization would also
have to explain how it's now protecting the affected victims and provide
recommendations for how they can protect themselves. And if a single
breach affects more than 500 California residents, the organization must
send the Attorney General an electronic copy of the notification,
according to the bill.
Subscribe to InfoSec News - www.infosecnews.org