BreachExchange mailing list archives
Revising CA breach law (SB 20)
From: "Sasha Romanosky" <sromanos () andrew cmu edu>
Date: Mon, 16 Mar 2009 15:22:49 -0400
I hadn't seen this posted yet, so here's the proposal for updating the CA breach law. What I find most interesting are the arguments opposed (2nd to last paragraph). Not that I believe them, necessarily, but that it would be a great to actually find some evidence either in favor or against them. I've seen a little bit of work related to whether people feel more or less comfortable disclosing information to a larger/smaller database, though nothing conclusive. I suspect the idea is that people might feel more secure with larger databases because of some twisted mental model of being 'lost in a crowd' which likely doesn't hold well in the digital medium. http://www.lexology.com/library/detail.aspx?g=c14cd9fc-819c-42b6-9dc3-43d9f7 955e9f Legislation would mandate breach notification content and centralized reporting March 11 2009 In California, proposed legislation (SB 20) would significantly update the state's data breach notification statute. The bill would (1) delineate standard information that agencies, businesses, and individuals must include in any data breach notification and (2) require centralized reporting of certain breaches to the state's Attorney General. In 2003, California became the first state to pass a data breach notification statute. That statute then served as a model for more than 40 other similar statutes. Given the impact of California's initial statute, these changes, if adopted, could prompt similar updates in numerous other states across the country. First, the proposed changes would explicitly delineate the information that agencies, businesses, and individuals must include in any data breach notification. Aside from its requirement that the notification "be written in plain language," the proposal requires that the notification must include, at a minimum: - Name and contact information of the reporting agency, business, or individual; - List of the types of personal information that were or are reasonably believed to have been the subject of the breach; - Date, estimated date, or date range within which the breach occurred; - Date of the notice and whether notification was delayed as a result of law enforcement investigation; - General description of the breach incident; - Estimated number of persons affected by the breach; and - If the breach exposed a bank account, credit card, social security, driver's license, or California identification card number, the toll-free telephone numbers and address of the major credit reporting agencies. - The agency, business, or individual may also, but is not required to, include (1) information about what it has done to protect the individuals whose information was breached or (2) advice on steps that the person whose information has been breached may take to protect himself. Second, the proposed changes would centralize reporting of data breach notification for certain breaches with the state Attorney General. The statute would require any agency, business, or individual required to issue a security breach notification to more than 500 California residents as a result of a single breach to electronically submit that notification to the state Attorney General. Several other state laws already require centralized reporting to the state's attorney general. Opponents of the legislation include the Association of California Insurance Companies, the California Bankers Association, the California Business Properties Association, the California Chamber of Commerce, the California Financial Service Association, the California Mortgage Bankers Association, Experian, the Personal Insurance Federation of California, State Farm, the State Privacy and Security Coalition, and Tech America. Opponents of the legislation assert that requiring breach notifications to include the contact information for credit bureaus misleads consumers into thinking that identity theft will occur, which is not necessarily true. Opponents also question whether it is necessary for individual consumers to receive notification of the number of affected individuals. Finally, the opponents claim that disclosing the date and size of the breach will allow hackers to determine that a particular method of attack was successful and that an attack on a certain database is likely to yield a certain amount of personal information. State senator Joe Simitian, the co-author of California's initial 2003 data breach notification legislation, proposed these updates in December 2008. On March 3, 2009, the state's Senate Judiciary Committee recommended, by a vote of 3-2, that the bill pass with only minor technical amendments. On March 4, 2009, the bill was referred to the state Senate Committee on Appropriations. Senator Simitian has publicly stated that he hopes to see the bill signed into law by the end of 2009. _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) CREDANT Technologies, a leader in data security, offers advanced data encryption solutions. Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently across your enterprise to ensure regulatory compliance. http://www.credant.com/stopdataloss
Current thread:
- Do Breach Notification Laws Work? security curmudgeon (Mar 12)
- Re: Do Breach Notification Laws Work? Jeffrey Walton (Mar 12)
- Re: Do Breach Notification Laws Work? bethg (Mar 12)
- Re: Do Breach Notification Laws Work? Adam Shostack (Mar 16)
- Re: Do Breach Notification Laws Work? TSG (Mar 16)
- Re: Do Breach Notification Laws Work? Adam Shostack (Mar 16)
- Re: Do Breach Notification Laws Work? Chris Walsh (Mar 16)
- Revising CA breach law (SB 20) Sasha Romanosky (Mar 16)
- Re: Revising CA breach law (SB 20) B.K. DeLong (Mar 16)
- Re: Revising CA breach law (SB 20) Chris Walsh (Mar 16)
- Re: Revising CA breach law (SB 20) security curmudgeon (Mar 16)
- Re: Do Breach Notification Laws Work? Jeffrey Walton (Mar 12)