State Sen. Joe Simitian's bill would require companies involved to report to the state attorney general any data breach that affected more than 500 California residents. The proposed law also details what the companies have to tell their customers about the breaches.
He spoke at the University of California - Berkeley about a symposium on the topic and suggested too many companies don't make things clear enough:
While some breach notification letters do a good job of telling users what happened to their data, a "substantial number" do not, Simitian said, adding that the lack of information leaves consumers "more confused than informed."The bill actually would be an amendment to a state law passed six years ago — the first to force companies to tell their customers when their data was stolen. Simitian co-wrote the original law. Since then, 43 other states have passed similar laws.
Problem is, it's still rare that anyone beyond the customers themselves ever find out about the breaches. Fred Cate, a law professor at Indiana University told Computerworld. The laws in most states "don't require that any notifications be made to a central authority." Cate said that maybe 10 percent of breaches are made public.
Some states to require a state agency be informed of the breaches, but given that California has the largest population of any U.S. state, it has the potential to create "the country's largest repository of breach data." The chance of a data breach affecting California residents would seem to be greater because of the enormous population, so the state would probably receive notices of far more breaches than any other state.