The California legislature should consider legislation to amend the state’s breach notice law to strengthen the substitute notice procedure, clarify the roles and responsibilities of data owners and data maintainers, and require a final breach report to the attorney general, according to California Attorney General Kamala Harris. This was just one of 12 recommendations Harris made in a report released on October 28 following a review of the 298 breaches reported since 2012, including 167 reported in 2013.
“This report sheds light on the threat that data breaches pose to California consumers and businesses,” Harris wrote in the report. “It also contains best practices and makes recommendations to companies, law enforcement agencies, and the legislature about how data security can be improved.”
According to the report, the number of data breaches in California climbed by 28% in 2013, with 18.5 million records of California residents put at risk. Retailers reported about 26% of the total breaches in the state, although retail breaches were responsible for about 84% of the total records breached in 2013.
The report came out nearly a month after Governor Jerry Brown signed legislation on September 30 to update the state’s data breach notification law. That measure (A.B. 1710), which takes effect January 1, 2015, started as a broad measure to hold businesses liable for certain costs of data breaches but was later narrowed to address only requirements to maintain reasonable security, offer identity theft prevention and mitigation services, and prohibit the sale of Social Security numbers.
“AB 1710 will increase consumer privacy, ensure appropriate fraud and identity theft protection, and safeguard against the exploitation of personal information,” Assemblymen Roger Dickinson (D), the bill’s author, said in a statement after the measure was signed.
In addition to the data breach legislation, Brown signed a measure updating California's invasion of privacy law, as well as three new student data privacy laws. A.B. 2306 makes it a constructive privacy invasion if a person attempts to capture visual images or sound recordings in an offensive way using any type of device.
“As technology continues to advance and new robotic-like devices become more affordable for the general public, the possibility of an individual’s privacy being invaded substantially increases,” said the bill’s author, Assemblyman Ed Chau (D), in a press conference on October 7. “This new law will update California privacy laws to better encompass future advances in technology by making it a constructive invasion of privacy to capture an image or sound recording in a manner that is offensive to a reasonable person, under circumstance where the subject had a reasonable expectation of privacy, through the use of any device.”
The new student privacy laws include S.B. 1177, which prohibits vendors from compiling or sharing personal information of students beyond what is necessary for marketing or advertising to the students; A.B. 1442, which requires school districts to notify students and parents in advance if they collect information about students posted on social media; and A.B. 1584, which allows local education agencies to enter into third-party contracts for services such as cloud storage or records management only if the contracts include specific privacy protections.