California models security breach law

California's Security Breach Information Act

Related Links

California today became the first state to require businesses and government agencies to notify individuals if a database containing personal data is compromised.

The new law has prompted a call for national notification legislation.

California's Security Breach Information Act (S.B. 1386) attempts to stop the growing problem of identity theft and led Sen. Dianne Feinstein (D-Calif.) to introduce federal legislation that will compel entities to notify people if someone has gained unauthorized access to customer information. Such information includes: records of Social Security, state identification, driver's license, bank account and credit card numbers.

"I strongly believe individuals have a right to be notified when their most sensitive information is compromised — because it truly is their information," Feinstein said in a prepared statement. "This is both a matter of principle and a practical measure to curb identity theft."

Last year, about 162,000 U.S. consumers complained about some sort of identity theft — nearly double the year before — according to the Federal Trade Commission.

The increase suggests that something needs to be done, especially among smaller companies that handle credit cards via the Internet and government agencies that frequently deal with Social Security numbers.

"Larger companies tend to be OK at security," said John Pescatore, an analyst for Gartner Inc. "They have already been notifying people. The law is broad here, but government agencies and smaller companies will be the most affected by it. But it does need to be more painful for them if they make a mistake and release information."

If the legislation is enacted, companies and agencies would have to provide a notice to each person whose data was compromised. Entities that fail to comply with the law could be sued in court or face FTC fines of up to $25,000 per day while the violation persists.

"This bill has a tough but fair enforcement regime, and will give ordinary Americans more control and confidence about the safety of their personal information," Feinstein said. "Americans will have the security of knowing that, should a breach occur, they will be notified and be able to take protective action."


  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.