Consumer Federation of California

Persistence paid off for Senator Joe Simitian. Governor Jerry Brown just signed Simitian’s Senate Bill 24, which will arm consumers with information to help prevent identity theft. In 2008, 2009 and 2010, Senator Simitian placed three previous versions of his security breach notification bill on the desk of former Governor Schwarzenegger, only to encounter vetoes.

If you are one of the many Californians who had your confidential information compromised in a security breach, you most likely found out by receiving a letter in the mail. After reading it, you were probably quite upset, but confused about what you should do about it. SB 24 will help consumers make sense of these notices, and help arm us to stop identity theft.

Security breaches since 2005 exposed at least 500 million personal records of Americans, according to the Privacy Rights Clearinghouse. Some breached records contained sensitive data such as social security numbers, bank or credit card numbers or medical information.  

Sony, Citibank, and the Bay Area Rapid Transit District are recent examples of businesses and government agencies whose customers’ records were stolen by hackers. Just last week it was revealed that 300,000 Californians’ intimate medical records, along with their social security numbers, were viewable for months to anyone with an internet connection, owing to an insurance processing business’ failure to safeguard its electronic data files.

Whether through negligence, or through intentional hacking or stealing, data breaches are a portal to identity theft. Public awareness of these all too frequent security breaches is thanks to a California breach notification law that then-Assemblyman Joe Simitian authored in 2001. Until then, no state had enacted a law requiring businesses and agencies that lost or exposed your personal information to let you know about it.

The 2001 law played a major role in highlighting the extent of the problem — information businesses had preferred to keep under wraps.

SB 24 will provide an important upgrade to California’s landmark breach notification law. It spells out which key details must be included in that notification letter, and would make sure the Attorney General hears about the breach.  If a social security number or drivers license was exposed, the notice letter explains how to contact major credit agencies. That’s especially important, because it empowers consumers to better monitor their accounts for evidence of identity theft, and to take concrete steps to prevent identity theft, including freezing your credit report.

Requiring these details also creates a strong incentive for companies and state agencies to be careful with your information. No one wants their signature at the bottom of that notification letter.

It won’t come as a surprise to anyone that technology puts our private information, from social security numbers to medical files, at risk. The exponential growth of electronic records — while beneficial in many respects — makes breaches more likely and far more severe.

Losing a filing cabinet with 500 records is difficult. Losing a laptop with 5 million records is all too easy. For this reason, over 40 states have adopted security breach notice laws modeled on California law.

Privacy notification laws won’t stop every security lapse from happening. But they will make businesses and agencies take more precautions to safeguard their data files. And if you ever do get that dreaded letter in the mail, you’ll be able to do something about it.

As the tally of victims grows, so must our commitment to strengthen privacy protections.  Californians deserve the added protection that SB 24 will provide.