California models security breach law

California's Security Breach Information Act

California today became the first state to require businesses and government agencies to notify individuals if a database containing personal data is compromised.

The new law has prompted a call for national notification legislation.

California's Security Breach Information Act (S.B. 1386) attempts to stop the growing problem of identity theft and led Sen. Dianne Feinstein (D-Calif.) to introduce federal legislation that will compel entities to notify people if someone has gained unauthorized access to customer information. Such information includes: records of Social Security, state identification, driver's license, bank account and credit card numbers.

"I strongly believe individuals have a right to be notified when their most sensitive information is compromised — because it truly is their information," Feinstein said in a prepared statement. "This is both a matter of principle and a practical measure to curb identity theft."

Last year, about 162,000 U.S. consumers complained about some sort of identity theft — nearly double the year before — according to the Federal Trade Commission.

The increase suggests that something needs to be done, especially among smaller companies that handle credit cards via the Internet and government agencies that frequently deal with Social Security numbers.

"Larger companies tend to be OK at security," said John Pescatore, an analyst for Gartner Inc. "They have already been notifying people. The law is broad here, but government agencies and smaller companies will be the most affected by it. But it does need to be more painful for them if they make a mistake and release information."

If the legislation is enacted, companies and agencies would have to provide a notice to each person whose data was compromised. Entities that fail to comply with the law could be sued in court or face FTC fines of up to $25,000 per day while the violation persists.

"This bill has a tough but fair enforcement regime, and will give ordinary Americans more control and confidence about the safety of their personal information," Feinstein said. "Americans will have the security of knowing that, should a breach occur, they will be notified and be able to take protective action."