A new bill just signed into law, to take effect on the first day of 2012, aims to improve breach reporting data by replacing SB 1386:
Specifically, SB 24 establishes standard, core content for data breach notifications including a general description of the incident, the type of information breached, the time of the breach, and toll-free telephone numbers and addresses of the major credit reporting agencies in California.
[…]
In addition, SB 24 also requires data holders to send an electronic copy of the notification to the Attorney General, if a single breach affects more than 500 Californians. This requirement will “give law enforcement the ability to see the big picture and better understand the patterns and practices of identity theft statewide,†[State Sen. Joe] Simitian explained.
The new Governor, Brown, clearly does not harbor the same concerns as his predecessor.
Schwarzenegger vetoed multiple similar bills, including one last year. Here is how in a letter he stated his objections:
This bill is unnecessary, however, because there is no evidence that there is a problem with the information provided to consumers. Moreover, there is no additional consumer benefit gained by requiring the Attorney General to become a repository of breach notices when this measure does not require the Attorney General to do anything with the notices.
I have to say I disagree. A repository of information leads to tangible benefits to consumers by enhancing our awareness and understanding of vulnerabilities and threats. A standardized repository of information leads to even more tangible benefits. It could even be argued the biggest improvements to privacy have come as a result of analysis of the breaches, not from the fines. Then again, since I regularly do analysis of breach data but I do not collect money for fines, I might be biased.
The interesting twist to this story is that Schwarzenegger apparently had no issue with the laws put on his desk to collect breach data related to medical information. After his wife’s data was compromised in the infamous UCLA case of 2008 he signed into law AB 211 and SB 541.
Monday’s report was the fifth by the public health agency following articles in The Times this year about UCLA employees’ prying into the records of celebrities and prominent patients, including California First Lady Maria Shriver, actress Farrah Fawcett and singer Britney Spears.
Schwarzenegger then established a repository of breaches at the Department of Public Health (Health & Safety Code section 1280.15) a full year before he announced a lack of consumer benefit from a repository of breaches.
(b) (1) A clinic, health facility, home health agency, or hospice to which subdivision (a) applies shall report any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information to the department no later than five business days after the unlawful or unauthorized access, use, or disclosure has been detected by the clinic, health facility, home health agency, or hospice.
The big difference to him seems to have been the presence of fines in the text — penalties to make collecting breach data worthwhile. Now that he is out of office SB 24 has passed without any mention of fines. In that sense it is very unlike the text of Health & Safety Code section 1280.15.
The department, after investigation, may assess an administrative penalty for a violation of this section of up to twenty-five thousand dollars ($25,000) per patient whose medical information was unlawfully or without authorization accessed, used, or disclosed. […] Upon appropriation by the Legislature, moneys in the account shall be expended for internal quality improvement activities in the Licensing and Certification Program
California led the country when it passed SB 1386 and changed the landscape of consumer privacy protection. Now it trails more than a dozen other states that already have passed breach laws like SB 24. And while it is not clear that a breach law is any more effective with a fine in its text, a central repository of breach data in standardized format to me has very obvious benefits to consumer privacy.
I wish that California had had the guts to go where no government has gone before: http://seclists.org/dataloss/2008/q3/133.
Arshad Noor
StrongAuth, Inc.