The Green Sheet Online Edition
February 2, 2008 • 08:02:02
State bill clarifies breach obligations
California merchants and their ISOs must adhere to the SB 364, the state moved closer to strengthening its data breach notification law.
It defines what information merchants must make publicly available if consumers' personal data are compromised in a breach.
SB 364 is meant to set data security standards for merchants to follow, and to then make required information available to consumers and state agencies as well, including law enforcement, to track and halt possible patterns of abuse.
California passed the initial security breach notification law in 2002, a combination of two bills - SB 1386 and Assembly Bill 700 - authored respectively by State Senator Steve Peace, D-El Cajon, and State Senator Joe Simitian, D-Palo Alto. That law went into effect on Jan. 1, 2003.
"The law has worked surprisingly well because it is simplicity itself," said Simitian in a speech on the floor of the Senate before the SB 364 vote on Jan. 31, 2008.
"It says that whether a governmental entity or a business holds your data [and then] loses that data, it has to tell you so you can take steps to protect yourself.
"That simple tool has meant that millions of American consumers have known when their personal had been disclosed and they were at risk.
"Also it means there has been a powerful incentive on both government and business to improve their data security."
But the law failed to address what specific information public agencies, businesses or persons subject to that law needed to make public to consumers possibly affected by a security breach.
Thus, breach notification letters often lacked important information, such as the date of the breach or type of information that was compromised, leaving consumers in the dark about how to respond to the breach or what to do to protect themselves from identity theft.
Furthermore, there was no centralized location for the reporting of security breaches, meaning there was no way to assess or improve existing California security breach laws based on patterns of criminal activity or changing consumer practices.
SB 364 is designed to:
- Establish what security breach information must be divulged to affected consumers
- Direct the Office of Information Security and Privacy Protection at the Department of Consumer Affairs to collect, maintain and report security breaches to the California legislature
- Require public agencies, businesses and others to submit sample copies of their breach notification letters to OISPP
According to Simitian, the bill:
- Gives consumers more information to protect themselves from identity fraud
- Gives businesses greater clarity about what their obligations are when making a data breach notification to consumers
- Through the central repository of data breach information, gives law enforcement another tool for the fight against identity theft
Lawmakers removed the provision that would have information about every breach publicly posted on a Web site. It was reportedly not economically feasible in California's current budget crisis. Merchants will only have to supply OISPP with sample data breach notification letters. Actual data breach notices will not be posted.
With the successful passage of SB 364 in the California State Senate, the bill now moves to the Assembly, where SB 364 will be further debated and voted upon. If it passes the Assembly with a majority vote, the bill will then go to the governor's desk, where it will either be vetoed or signed into law.
Similar changes to data breach notification laws have already been made in Michigan, New Hampshire, North Carolina and New Jersey.
Whether you want to upgrade your POS offerings, find a payment gateway partner, bone up on fintech regs or PCI requirements, find an upcoming trade show, read about faster payments, or discover the latest innovations in merchant acquiring, The Green Sheet is the resource for you. Since 1983, we've helped empower and connect payments professionals, starting with the merchant level salespeople who bring tailored payment acceptance and digital commerce tools, along with a host of other business services to merchants across the globe. The Green Sheet Inc. is also a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals.
Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.
