Posted by: Scot Petersen
California Data Security and Privacy Law, data breach, encryption, Massachusetts Data Security and Privacy Law, SB 20, Schwarzenegger, Simitian
In case you missed it, California Gov. Arnold Schwarzenegger vetoed Senate Bill 20, which would have added a few more requirements to the state’s existing data breach notification law.
Sponsored by state Sen. Joe Simitian, the additions to the landmark data breach law would require holders of personal information to reveal the type of information that was lost and details of the actual breach incident, in addition to notifying data owners of the event.
In his veto letter, Schwarzenegger called the bill “unnecessary … because there is no evidence that there is a problem with the information provided to consumers.”
In an interview with SearchCompliance.com in September, Sen. Simitian said that final negotiations had eliminated any opposition to SB 20, and said the purpose of the bill was to provide consumers with more information. “My argument was, you want to let the state know, so we can get some sense of the scope of the problem,” he said. “And also so consumers have some sense. If I communicate to you that you are one of three files that were compromised, then you are probably a little more anxious and a little more likely to take some steps to protect yourself then if you were one of 500,000.”
In reacting to the veto, Sen. Simitian said, “I’m surprised as well as disappointed by the governor’s veto,” said Simitian in a statement. “This was a common sense step to help consumers. No one likes to get the news that personal information about them has been stolen. But when it happens, people are entitled to get the information they need to decide what to do next. This bill would have made one of California’s key consumer protections even better.”
What happens next is not clear. Simitian said in the interview that if SB 20 was passed he would not foresee any additional changes, arguing that the “light touch” of the existing law was enough to keep data holders responsible and proactive, rather than mandating encryption and other technologies like Massachusetts and Nevada have done.