The chamber voted 30-7 in favor of the data breach notification bill, which requires notices to explain clearly what has happened and what people can do to protect themselves. Sen. Joe Simitian, who introduced the bill, said that some businesses already notify consumers properly.
"Others have sugarcoated the news, or buried it in legal jargon, with the result that people don't understand their vulnerability to identity theft," he said. "No one likes to get the news that information about them has been stolen, but when it happens, people are entitled to get a notice they can understand and that helps them decide what to do next."
California has already enacted a law that requires consumer notification when data breaches occur. The new bill requires companies, public agencies, and other organizations to provide toll-free numbers for credit reporting agencies so consumers can put holds on their cards, the name and contact information of the business affected, and what information may have been exposed or stolen. It also requires notices to explain when the breach occurred and the number of people affected by it.
Simitian's bill follows a recommendation from a study by the Samuelson Law, Technology & Public Policy Clinic at the University of California at Berkeley School of Law, which said notices should be standardized.
The bill also will create a central site where groups report data breaches, with the aim of allowing private companies, policy makers, and investigators to spot trends and learn lessons from others' mistakes.