On October 11, 2009, Governor Schwarzenegger vetoed California Senate Bill 20 (“SB 20”), a bill that would have added new obligations under the state’s security breach notification law.[1] SB 20 would have required security breach notices to include certain types of information, and also would have required the California Attorney General to be notified of larger-scale breaches.

California’s landmark security breach notification law went into effect on July 1, 2003.[2] It requires any person or entity that conducts business in California, and that owns or licenses computerized data that includes “personal information,” to notify California residents whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person through a security breach.[3]

Since 2003, 44 other states, as well as the District of Columbia, Puerto Rico, and the U.S. Virgin Islands, also have enacted security breach notification laws. In general, these state security breach notification laws are understood to be modeled on the California law. Many states, however, have built upon California’s model and added more detailed requirements. For example, at least fourteen states and Puerto Rico require security breach notices to include certain types of information for consumers.[4] In addition, at least thirteen states and Puerto Rico require an entity that suffers a security breach to notify a state regulator, such as the Attorney General, as well as the affected individuals.[5] With SB 20, California would have added similar requirements to its own breach notification laws.

Specifically, SB 20 would have amended the California law to require that security breach notices “be written in plain language” and include certain types of information, such as a list of the categories of “personal information” affected by the breach, the actual or estimated date of the breach (if known), the nature of the breach, and whether the notice was delayed as a result of law enforcement investigation. Additionally, SB 20 would have required notifying the California Attorney General of any breach that resulted in breach notification to more than 500 California residents.

In vetoing SB 20, Governor Schwarzenegger lauded the beneficial consumer protections of the existing California law.[6] Nonetheless, the Governor believed that SB 20 was “unnecessary,” indicating that “there is no evidence that there is a problem with the information provided to consumers” under the existing law. The Governor also stated that “there is no additional consumer benefit gained by requiring the Attorney General to become a repository of breach notices when [SB 20] does not require the Attorney General to do anything with the notices.” Concluding that SB 20 would have imposed additional and unnecessary duties on businesses “without a corresponding consumer benefit,” the Governor vetoed SB 20.

Despite the Governor’s veto of SB 20, California businesses should be mindful that consumers in other states may be covered by laws that require more detailed security breach notices and/or notification of state agencies. Additional information, including links to the state breach notification laws, is available through Morrison & Foerster’s free online privacy library at www.mofoprivacy.com.