Revising CA breach law (SB 20)

["Sasha Romanosky" <sromanos () andrew cmu edu>]

I hadn't seen this posted yet, so here's the proposal for updating the CA
breach law.

What I find most interesting are the arguments opposed (2nd to last
paragraph). Not that I believe them, necessarily, but that it would be a
great to actually find some evidence either in favor or against them. I've
seen a little bit of work related to whether people feel more or less
comfortable disclosing information to a larger/smaller database, though
nothing conclusive. I suspect the idea is that people might feel more secure
with larger databases because of some twisted mental model of being 'lost in
a crowd' which likely doesn't hold well in the digital medium. 


http://www.lexology.com/library/detail.aspx?g=c14cd9fc-819c-42b6-9dc3-43d9f7
955e9f
Legislation would mandate breach notification content and centralized
reporting
March 11 2009

In California, proposed legislation (SB 20) would significantly update the
state's data breach notification statute. The bill would (1) delineate
standard information that agencies, businesses, and individuals must include
in any data breach notification and (2) require centralized reporting of
certain breaches to the state's Attorney General. In 2003, California became
the first state to pass a data breach notification statute. That statute
then served as a model for more than 40 other similar statutes. Given the
impact of California's initial statute, these changes, if adopted, could
prompt similar updates in numerous other states across the country.    

First, the proposed changes would explicitly delineate the information that
agencies, businesses, and individuals must include in any data breach
notification. Aside from its requirement that the notification "be written
in plain language," the proposal requires that the notification must
include, at a minimum:

- Name and contact information of the reporting agency, business, or
individual; 
- List of the types of personal information that were or are reasonably
believed to have been the subject of the breach; 
- Date, estimated date, or date range within which the breach occurred; 
- Date of the notice and whether notification was delayed as a result of law
enforcement investigation; 
- General description of the breach incident; 
- Estimated number of persons affected by the breach; and 
- If the breach exposed a bank account, credit card, social security,
driver's license, or California identification card number, the toll-free
telephone numbers and address of the major credit reporting agencies. 
- The agency, business, or individual may also, but is not required to,
include (1) information about what it has done to protect the individuals
whose information was breached or (2) advice on steps that the person whose
information has been breached may take to protect himself.

Second, the proposed changes would centralize reporting of data breach
notification for certain breaches with the state Attorney General. The
statute would require any agency, business, or individual required to issue
a security breach notification to more than 500 California residents as a
result of a single breach to electronically submit that notification to the
state Attorney General. Several other state laws already require centralized
reporting to the state's attorney general.

Opponents of the legislation include the Association of California Insurance
Companies, the California Bankers Association, the California Business
Properties Association, the California Chamber of Commerce, the California
Financial Service Association, the California Mortgage Bankers Association,
Experian, the Personal Insurance Federation of California, State Farm, the
State Privacy and Security Coalition, and Tech America.

Opponents of the legislation assert that requiring breach notifications to
include the contact information for credit bureaus misleads consumers into
thinking that identity theft will occur, which is not necessarily true.
Opponents also question whether it is necessary for individual consumers to
receive notification of the number of affected individuals. Finally, the
opponents claim that disclosing the date and size of the breach will allow
hackers to determine that a particular method of attack was successful and
that an attack on a certain database is likely to yield a certain amount of
personal information.

State senator Joe Simitian, the co-author of California's initial 2003 data
breach notification legislation, proposed these updates in December 2008. On
March 3, 2009, the state's Senate Judiciary Committee recommended, by a vote
of 3-2, that the bill pass with only minor technical amendments. On March 4,
2009, the bill was referred to the state Senate Committee on Appropriations.
Senator Simitian has publicly stated that he hopes to see the bill signed
into law by the end of 2009.  


_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)

CREDANT Technologies, a leader in data security, offers advanced data encryption solutions.
Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently 
across your enterprise to ensure regulatory compliance.
http://www.credant.com/stopdataloss