Governor Arnold Schwarzenegger has vetoed an update to California’s landmark data-breach notification law, saying that the new bill would be too hard on businesses without adequately benefiting consumers.
The proposed law, SB 20, would have forced businesses to give consumers more information about security breaches and made the office of the state’s attorney general a repository for breach notifications affecting more than 500 California residents.
It would have been an incremental update to California’s 2002 breach notification law, which first opened a window on how U.S. companies handled consumer’s data. Since California’s law came into effect, nearly 340 million breached records have been counted by Privacy Rights Clearinghouse, a privacy watchdog group.
The updated bill, which was passed by the state Senate and Legislature last month, was authored by State Senator Joe Simitian, a Democrat from Palo Alto, California. It was vetoed during a flurry of last-minute activity on Sunday, the governor’s deadline for signing or vetoing legislation from the current legislative session.
“I’m surprised as well as disappointed by the Governor’s veto,” Simitian said in a statement. “There was no opposition to the bill in its final form. This was a common sense step to help consumers.”
Like its predecessor, SB 20 would have required businesses to notify consumers after losing control of unencrypted customer data — in the event of a laptop theft, hacking incident, or even the loss of a computer tape or hard drive, for example.
The updated law would have also required companies to tell consumers exactly what information had been compromised, and provide details of how it was lost. By creating a central repository of breach notification letters with the attorney general’s office — something that states such as New York, Maryland and New Hampshire have already done — Simitian hoped to help law enforcement better understand the scope of the problem.
Schwarzenegger disagreed, saying there “is no additional consumer benefit gained by requiring the Attorney General to become a repository of breach notices when this measure does not require the Attorney General to do anything with the notices,” in a veto message published on the state’s Web site.
“Since this measure would place additional unnecessary mandates on businesses without a corresponding consumer benefit, I am unable to sign this bill,” he said.