Gov. Signs Simitian Data Theft Bill

State Sen. Joe Simitian's bill to aid victims of security breaches is finally law.

It marks the fourth time the Palo Alto democrat introduced the bill, the fourth time it passed the legislature, and the first time it was not vetoed by a sitting governor.

The new law requires business and agencies where breaches took place to provide victims with a full accounting of what transpired, how it may affect them, and how they can protect themselves.

“No one likes to get the news that personal information about them has been stolen,” Simitian said in a press statement. “But when it happens, people are entitled to get the information they need to decide what to do next.”

The bill's supporters say security breaches will only increase and expand as organizations move more storage onto digital files -- and as hackers become ever more adept at outwitting security measures. High-profile breaches at Nasdaq, Health Net, the Veterans Administration and other organizations have made companies and consumers jittery.

"The crime of identity theft is not going away," said Beth Givens, director of Privacy Rights Clearinghouse, a nonprofit consumer education and advocacy group. Givens spoke with Patch Wednesday before the governor signed the bill.

The new law also instructs the state attorney general to begin compiling records of breaches affecting 500 people or more.

The measure strengthens the requirements of the existing data breach law, which was also authored by Simitian. Landmark legislation when passed in 2002, it has since been adopted by 14 states and Puerto Rico -- often with even stronger provisions.

Malware infected the Director Desk App at Nasdaq. At Bank of New York Mellon, an "old school" heist of tapes from a delivery truck yielded social security numbers for 4.5 million customers. Personal data on 76 million veterans walked out the door when the Veterans Administration sent a disk out for repair.

Last May, thieves stole a computer at Silicon Valley Eyecare. It was the server, and contained information for 40,000 patients.

Up to now, California law required data holders to notify individuals when personal information was breached -- but did not required them to divulge the type of information that was compromised, the time a breach took place, or how to contact major credit card agencies that record security breaches in the state.

“Letters (to victims) would go out, but be so vague they would not have any idea what steps to take,” Givens said.

A study by the Samuelson Law, Technology and Public Policy Clinic at UC Berkeley found that 28 percent of data breach victims notified “do not understand the potential consequences of the breach after reading the letter.”

After three consecutive vetoes, Simitian reintroduced the measure this year, hoping that with the change in Sacramento “a signature by the governor may be possible this year.”

More information on Senate Bill 24, and a look at the other versions of the bill introduced in past years, is available on Simitian's website. 

Simitian’s district spans three counties counties—Santa Clara, San Mateo and Santa Cruz—and encompasses San Carlos, Redwood City, Menlo Park, Atherton, East Palo Alto, Palo Alto, Stanford, Los Altos, Los Altos Hills, Cupertino, Campbell, Santa Cruz, Capitola, and a third of San Jose.